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Preface 


This document describes how to install, configure, and uninstall IBM® Tivoli“ 
Directory Server version 5.2. IBM Tivoli Directory Server 5.2 is supported on 
Windows®, AIX®, Linux (xSeries®, zSeries®, pSeries™, and iSeries™), Solaris, and 
Hewlett-Packard UNIX® (HP-UX) operating System platforms. For detailed 
Information about supporte d operating System versions, as well as other re quired 


Software and hardware, see Chapter 4, "System requirements", on page 13 


Who should read this book 

This book is intended for System administrators. 


Publications 


Read the descriptions of the IBM Tivoli Directory Server library to determine 
which publica tions you might find helpful. After you deter mine the publications 
you need, see|"Accessing publications online" on page viii 


IBM Tivoli Directory Server library 

The publications in the IBM Tivoli Directory Server library are: 


IBM Tivoli Directo ry Server Version 5.2 Read me Addendum 

Go to the Tivoli Software Library Web site to access the IBM Tivoli Directory 
Server Version 5.2 Readme Addendum, which con tains important informat ion 


that was not include d in the Readme files. See pAccessing publications 


online" on page viii| for information about accessing online publications. 


IBM Tivoli Directory Server Version 5.2 Client Readme 

Contains last-minute information about the dient. 


IBM Tivoli Directory Server Version 5.2 Server Readme 

Contains last-minute information about the Server. 


IBM Tivoli Directory Server Version 5.2 Web Administration Tool Readme 

Contains last-minute information about the Web Administration Tool. This 
Readme is available from the main panel of the Web Administration Tool. 

IBM Tivoli Directory Server Version 5.2 Installation and Configuration Guide 

Contains complete information for installing the IBM Tivoli Directory 
Server dient, Server, and Web Administration Tool. Includes information 
about migrating from a previous version of IBM Tivoli Directory Server or 
SecureWay Directory. 

IBM Tivoli Directory Server Version 5.2 Tuning Guide 

Contains information about tuning the Server for better performance. 

IBM Tivoli Directory Server Version 5.2 Administration Guide 

Contains instructions for performing administrator tasks through the Web 
Administration Tool or the command line. 

IBM Tivoli Directory Server Version 5.2 Plug-ins Reference 

Contains information about writing Server plug-ins. 

IBM Tivoli Directory Server Version 5.2 C-Client SDK Programming Reference 
Contains information about writing LDAP dient applications. 
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Related publications 

Information related to the IBM Tivoli Directory Server is available in the following 
publications: 

• IBM Tivoli Directory Server Version 5.2 uses the Java Naming and Directory 

Interface (JNDI) dient from Sun Microsystems. For information about the JNDI 
dient, refer to the Java Naming and Directory Interface ™ 1.2.1 Specification on the 
Sun Microsystems Web site at _ 

http: / / java.sun.com / products / jndi /1.2/javadoc / index.html 

• The Tivoli Software Library provides a variety of Tivoli publications such as 
white papers, datasheets, demonstrations, redbooks, and announcement letters. 
The Tivoli Software Library is available on the W eb at: 

http: / / www.ibm. com / Software / tivoli / library / 

• The Tivoli Software Glossary includes definitions for many of the technical terms 
related to Tivoli Software. The Tivoli Softzvare Glossary is available, in English 
only, from the Glossary link on the left side of the Tiv oli Software Library Web 
page |http:/ /www.ibm.com/software/tivoli/library/ 


Accessing publications online 


The publications for this product are available online in Portable Document Format 
(PDF) or Hypert ext Markup Language (HTML) format, or both in the Tivoli 
Software library: http://www.ibm.com/software/tivoli/library 


To locate product publications in the library, dick the Product manuals link on the 
left side of the library page. Then, locate and dick the name of the product on the 
Tivoli Software information center page. 


Information is organized by product and includes READMEs, installation guides, 
user's guides, administrator's guides, and developer's references. 


Note: To ensure proper printing of PDF publications, select the Fit to page check 
box in the Adobe Acrobat Print window (which is available when you dick 

File ■* Print). 


Accessibility 

Accessibility features help a user who has a physical disability, such as restricted 
mobility or limited vision, to use Software products successfully. With this product, 
you can use assistive technologies to hear and navigate the interface. After 
installation, you also can use the keyboard instead of the mouse to operate all 
features of the graphical user interface. 


Contacting Software Support 

Betöre contacting IBM Tivoli Software support with a problem, refer to Tivoli 
Software support Web site at: 


http: / / www.ibm.com / Software / sysmgmt/products / support / 


If you need additional help, contact Software support by using the methods 
described in the IBM Software Support Guide at the following Web site: 


http://techsupport.services.ibm.com/guides/handbook.html 


The guide provides the following information: 
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• Registration and eligibility requirements for receiving support 

• Telephone numbers and e-mail addresses, depending on the country in which 
you are located 

• A list of Information you should gather before contacting customer support 


Conventions used in this book 

This reference uses several conventions for special terms and actions and for 

operating system-dependent commands and paths. 

Typeface conventions 

The following typeface conventions are used in this reference: 

Bold Lowercase commands or mixed case commands that are difficult to 

distinguish from surrounding text, keywords, parameters, options, names 
of Java classes, and objects are in bold. 

Italic Titles of publications, and special words or phrases that are emphasized 
are in italic. 


<Italic> 

Variables are set off with < > and are in <italic>. 

Monospace 

Code examples, command lines, screen output, file and directory names 
that are difficult to distinguish from surrounding text, System messages, 
text that the user must type, and values for arguments or command 
options are in monospace. 

Operating System differences 

This book uses the UNIX Convention for specifying environment variables and for 
directory notation. When using the Windows command line, replace $variable with 
%variable% for environment variables and replace each forward slash (/) with a 
backslash (\) in directory paths. If you are using the bash shell on a Windows 
System, you can use the UNIX conventions. 


Preface IX 



X IBM Tivoli Directory Server: Installation and Configuration Guide 


Chapter 1. Quick installation path 


To follow the simplest path through installation, use the checklist in this chapter. If 


vou are migrating from a previous rclcasc, do n ot use this checklist. See Chapter 5, 
Migration from previous releases", on page 29 for instructions. 

_ 1. Be sure that you have the minimum required hardware and Software. 


See Chapter 4, "System requirements", on page 13 for information. There is 
a section for the dient and the Server for each operating System. 

Also see the IBM Tivoli Directory Server Version 5.2 Server Readme, IBM Tivoli 
Directory Server Version 5.2 Client Readme, and IBM Tivoli Direc tory Server 


Version 5.2 Readme Addendum for last-minute information. (See "Accessing 


2 . 


3. 


publications.) 

Plan your database. 


publications online" on page viii for information about accessing online 


'Database configuration planning", on page 119|for 


See |Appendix A, 
information. 

If you are installing the Server, create the user ID that will own the 
database. (On UNIX-based platforms, you can wait until after installation, 
but you must create the user ID betöre configuration.) 


See r Betöre you configure: creating the DB2 database owner and database 


4. 


instance owner" on page 85| for information. 

Install IBM Tivoli Directory Server using the InstallShield GUI, if available 
for your operating System platform. You can use the InstallShield GUI on 
Windows, AIX, xSeries Linux, and Solaris operating Systems. 


page 49 


For Win dows platforms, see "Installing on a Windows platform" on 


For UNI X-based platforms, see "Installing on a UNIX-based platform" on 
page 53, 


5. 

6 . 


Note: If you prefer to install IBM Tivoli Directory Server using Utilities for 
your operating System, see the chapter for your operating System. 
These chapters are: 


Chapter 7, "Installing IBM Tivoli Directory Server using AIX 


Utilities", on page 57 


Chapter 8, "Installing IBM Tivoli Directory Server using Linux 

Utilities", on page 63 


Chapter 9, "Installing IBM Tivoli Directory Server using Solaris 


Utilities", on page 67 


Chapter 10, "Installing IBM Tivoli Directory Server using HP-UX 


Utilities", on page 73 


On Windows, after the System restarts, log on as the user you were logged 
on as during installation. 


After the Configuration Tool Starts, set the Administrator distinguished 
name (DN) and password. 


See 
information. 


'Setting the Administrator DN and password" on page 84 for 
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Note: If you used operating System Utilities to install, you must start 

configuration from the command line, using one of the following 
commands: 


7. 

8 . 


ldapxcfg to use the Configuration Tool. 

ldapcfg to use the command line utility. See "Using the ldapcfg 


utility" on page 92 for information. 


Configure the database using the Configuration Tool. 
See 


'Configuring the database" on page 86 


for information. 


Optionally, verify the installation and configuration by loading the sample 
database. 


See 
information. 


Appendix G, "Loading a sample database", on page 133 for 


9. Start the Server and the Web Administration Tool. 


See Chapter 13, "After you install and configure", on page 97 for 


information. 


10. See the IBM Tivoli Directory Server Version 5.2 Administration Guide for 
information about setting up and using the Server. 
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Chapter 2. About this release 


This chapter gives detailed information about new features and industry Standards 
that are implemented in this release of IBM Tivoli Directory Server. 


What’s new for this release 


The following enhancements and changes have been made to IBM Tivoli Directory 
Server for the 5.2 release. 

Updated versions of corequisite products 

The InstallShield GUI Installation program includes an integrated 
installation of the following products. These products are also available on 
the CD or they can be downloaded. 

• DB2® Universal Database version 8.1 Enterprise Server Edition (DB2) 
with FixPak 2. 

• Global Security Kit (GSKit) version 7a. GSKit includes open-source 
libraries. 

• The embedded version of WebSphere Application Server - Express 
version 5.0.2. 

Support for Windows Server 2003 

IBM Tivoli Directory Server supports the Microsoft® Windows Server 2003 
operating System, Standard and Enterprise editions. 

Non-SSL packages only on AIX 

In previous versions, both Secure Sockets Layer (SSL) and non-SSL 
packages were provided on all operating System platforms. For IBM Tivoli 
Directory Server version 5.2, non-SSL packages are provided only on AIX. 

Full 64-bit Server Support on AIX 

IBM Tivoli Directory Server has been ported to 64-bit architecture on AIX 
only. Solaris, HP-UX, Linux zSeries, Linux Intel, Linux iSeries and pSeries, 
and Windows remain 32-bit Servers. The Web Administration Tool remains 
a 32-bit application. The 32-bit Server will no longer be available on AIX; 
however, the dient SDK will still be available as a 32-bit application. The 
64-bit architecture increases the ability to cache a large number of directory 
entries. 


Notes: 


1 . 

2 . 


AIX Version 5.1 or later is required for the 64-bit AIX Server. 

To move up to 64-bit Server support, you must migrate your database. 
However, you do not need to unload and reload your data . See 
Chapter 5, "Migration from previous releases", on page 29 for 


information. 


Authentication methods for LDAP (RFC 2829) 

IBM Tivoli Directory Server 5.2 provides support for DIGEST-MD5 Simple 
Authentication and Security Layer (SASL) authentication, as well as 
Transport Layer Security (TLS) support as defined in RFC 2829. 

LDAP v3 Extensions for TLS (RFC 2830) 

TLS allows clients to connect to the Server on a non-secure port 
and issue a TLS start command. If GSKit is installed, the Server 
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honors the request and begins a secure Connection with the dient. 
RFC 2830 specifies how LDAP should support TLS. 

DIGEST-MD5 SASL Mechanism (RFC 2831) 

RFC 2831 defines how FITTP Digest Authentication (Digest) can be 
used as an SASL mechanism for any protocol that has an SASL 
profile. (RFC 2222 defines SASL.) DIGEST-MD5 is intended to be 
both an improvement over CRAM-MD5 and a convenient way to 
Support a single authentication mechanism for Web, mail, LDAP, 
and other protocols. 

Use of Language codes (RFC 2596) 

RFC 2596 defines a mechanism that allows the directory to associate 
natural language codes with values that meet certain natural language 
requirements. IBM Tivoli Directory Server 5.2 supports a single language 
code Option and language tag support discovery. 

Subtree search on null base 

A subtree can now be searched from a null base. This provides a shorthand 
way to retrieve all entries in the directory. In earlier releases, multiple 
searches were required for each suffix to search the entire directory. 

Unique Attributes 

IBM Tivoli Directory Server 5.2 allows the administrator to identify 
attributes that must have unique values. This ensures that there are not 
two directory entries with the same attribute values. For example, no two 
users can have the same user ID or email address if these attributes have 
been configured to enforce uniqueness. 

Delegation of Server administration to a group of administrative users 

In previous releases, IBM Directory Server required that the administrator 
user ID be used to perform Server tasks such as replication configuration 
and starting and stopping the Server. For the 5.2 release, there is an 
administration group that contains IDs of users with administrative rights 
and privileges. This avoids the use of a single administration ID shared by 
a number of administrators. The root administrator can add or remove 
members from the administration group. 

Prevention of denial of Service 

For the 5.2 release, support has been added to reduce the vulnerability of 
the Server to malicious attacks, causing a denial of Service. The Server can 
be configured to reject non-responsive clients after some number of 
attempts. Support has also been added to close connections issued by a 
specific IP address or DN. An emergency thread is available when some 
number of items, configurable on the Server, are on the work queue. This 
provides a method for the administrator to access the Server during a 
denial of Service attack. The oldest connections can, through configurable 
parameters, be reused first. 

Unbind of bound DN/IP 

This security enhancement allows an administrator to force a specific 
bound DN or IP address to unbind. The emergency thread added in the 
denial of service prevention feature enhances this feature by ensuring that 
an administrator always has access to unbind bound DNs and IP 
addresses. 

Group specific search limits 

You can now configure "extended" search limits for a defined group of 
people who are not the administrator or part of the administration group. 
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Preservation of operational attributes 

The operational attributes creatorsName, createTimestamp, 
lastModifiedBy, and lastModifiedTime are now preserved so that they are 
consistent between a master and its replicas. In addition, these attributes 
are now imported by the ldif2db and bulkload Utilities and exported by 
the db2ldif utility. 

Attribute cache 

The attribute Cache improves search performance for certain search filters 
by allowing configured attributes and their values to be stored in memory. 
When a search is performed using a filter that contains all cached 
attributes and the filter is of a type supported by the attribute cache 
manager, the filter can be resolved in memory; this leads to improved 
search performance. 

Serviceability improvements 

The following new features improve the serviceability of IBM Tivoli 
Directory Server: 

Server input and output logging 

The actual input and output from the Server can now be logged to 
allow better analysis of problems. In previous releases, the LDAP 
dient library output the BER data to stderr or a file. The new 
feature adds the capability to record the same formatted BER data 
one time to the in-memory trace. The trace facility can then be 
used to extract this data. 

Dynamic trace enablement 

Trace information from the Server can now be captured without 
stopping and restarting the Server. The level of tracing and the size 
available for trace output can also be configured dynamically. 

Monitor enhancements 

More information has been added to the output of cn=monitor to 
be used in analyzing Server performance. These attributes are 
intended for directory administrators only. The new information 
includes counts of completed operations by type (for example, 
BIND, MODIFY, COMPARE, SEARCH), depth of the work queue, 
number of available workers, counts of messages added to the 
Server log, audit log, command-line interface errors, and counts of 
SSL Connections. Information is also included about what worker 
threads are doing and when they started. 

Additional Support on iSeries and pSeries Linux 

Support for the new iSeries and pSeries Linux platforms was added in the 
IBM Tivoli Directory Server 5.1 FixPak 1. IBM Tivoli Directory Server 5.2 
adds more support for iSeries and pSeries: the Web Administration Tool 
can now be used on these platforms, and translated messages have been 
added. 

System and restricted ACLs - compatibility with OS/390® 

Support has been added for specification and evaluation of ACLs for the 
System and restricted attribute classes. This resolves the following 
interoperability problems between IBM Tivoli Directory Server and OS/390 
versions of the LDAP Server. 

• In previous releases, during replication the IBM Tivoli Directory Server 
Server rejected any directory entry data that contained ACL 
specifications with references to System or restricted attribute classes. 
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Replication from an OS/390 Server provider to an IBM Tivoli Directory 
Server Server consumer therefore failed. 

• In previous releases, ACL management code could not be written that 
would run correctly on both types of Servers. A dient application written 
for an IBM Tivoli Directory Server environment might not work properly 
on an OS/390 Server because the ACLs might not allow the application 
to read System attributes. Conversely, a dient application developed for 
an OS/390 Server environment would fail to work properly on an IBM 
Tivoli Directory Server Server if the application attempted to set ACLs 
on System or restricted attributes. 

This feature replaces the limited restricted attribute dass ACL support, 
originally provided by IBM Directory Server 5.1 Protection of Access 
Control Information feature (ibm-slapdACLAccess), with full directory 
specific ACL support. The behavior of this feature is consistent with the 
existing ACL support provided for the other attribute access classes: 
normal, sensitive, and critical. 

To maintain consistency with the legacy IBM Directory Server ACL 
model, existing version 5.1 directories that contain entries with explicit 
ACL specification will be automatically migrated to provide legacy 
default read, search, and compare access for the subject DN 
group:cn=anybody, as well as any specific access IDs. This is to prevent 
an unexpected loss of default access after migration. If denial of access is 
required, it should be explicitly specified in the directory, based on the 
specific needs and desires of the individual IBM Tivoli Directory Server 
administrator. 

Support for identity assertions (proxied authentication) 

Support has been added for identity assertions, also known as LDAP 
Proxied Authorization Control. The Proxied Authorization Control allows a 
dient to request that an Operation be processed under a provided 
authorization identity instead of as the current authorization identity 
associated with the Connection. 

Option that the Server does not dereference aliases by default 

In previous releases, the Java " Naming and Directory Interface (JNDI) had 
dereferencing aliases by default. This sometimes caused performance 
degradation on the Server even if no alias entries existed in the Server. A 
Server configuration Option has been added to override the dereference 
Option specified in the dient search request. Additionally, if no alias objects 
exist in the directory, the Server always bypasses the dereference logic. 

Gateway replication 

Gateway replication uses Gateway Servers to collect and distribute 
replication information effectively across a replicating network. The 
primary benefit of Gateway replication is the reduction of network traffic. 

Enhancements to the Web Administration Tool 

Enhancements have been made to the Web Administration Tool, including 
the following: 

• Support for administration of OS/400® V5R3 and z/OS™ R4 LDAP 
Servers 

• Support for object dass inheritance from multiple superior objects 

• Support for peer to peer replication 

• Support for gateway replication 

• Web Administration support for most new features 
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Support for industry Standards 

The following Standards are implemented in IBM Tivoli Directory Server 5.2. This 
list includes Standards that were implemented in previous releases. Newly 
implemented Standards are marked with an asterisk (*). 

• RFC 1274 The COSINE and Internet X.500 Schema 

• RFC 1777 Lightweight Directory Access Protocol (V2) 

• RFC 1778 String Representation of Standard Attribute Syntaxes 

• RFC 1779 String Representation of Distinguished Names 

• RFC 1823 LDAP Application Program Interface (V2) 

• RFC 2052 A DNS RR for Specifying the Location of Services (DNS SRV) 

• RFC 2219 Use of DNS Aliases for Network Services 

• RFC 2222 Simple Authentication and Security Layer (SASL) 

• RFC 2247 Using Domains in LDAP/X.500 Distinguished Names 

• RFC 2251 Lightweight Directory Access Protocol (V3) 

• RPC 2252 Lightweight Directory Access Protocol (V3): Attribute Syntax 
Definitions 

• RPC 2253 Lightweight Directory Access Protocol (V3): UTP-8 String 
Representation of Distinguished Names 

• RPC 2254 The String Representation of LDAP Search Pilters 

• RPC 2255 The LDAP URL Pormat 

• RFC 2256 A Summary of the X.500(96) User Schema for use with LDAPv3 

• * RFC 2596 Use of Language code in LDAP 

• RFC 2696 LDAP Control Extension for Simple Paged Results Manipulation 

• * RFC 2829 Authentication Methods for LDAP 

• * RFC 2830 (V3) Extension for Transport Layer Security (TLS) 

• * RFC 2831 Using DIGEST authentication as a SASL Mechanism 

• RFC 2849 The LDAP Data Interchange Format (LDIF) - Technical Specification 

• RFC 2891 LDAP Control Extension for Server Side Sorting of Search Results 

• The Open Group Schema for liPerson and liOrganization (NAC/LIPS) 
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Chapter 3. Installation, configuration, and migration overview 

This chapter briefly describes the migration, installation, and configuration 
procedures for IBM Tivoli Directory Server version 5.2. 

If you have a pre-existing version of Lightweight Directory Access Protocol (LDAP) 
from a vendor other than IBM, you should remove it before installing the IBM 
Tivoli Directory Server. If you attempt to install the IBM Tivoli Directory Server 
without removing the other vendor's version, the resulting file name conflicts 
might prevent either version from working. 

Note: A version of LDAP is installed by default on some operating Systems. 


Migration from a previous release 

If you have a previous version of the IBM Directory, such as SecureWay® Version 
3.1.1.5, 3.2, 3.2.1, or 3.2.2, or IBM Directory Server 4.1, 5.1, or 5.1 for Linux iSeries 
and pSeries, migration is necessary to preserve any changes that you have made to 
the Schema definitions and to preserve your directory Server configuration. 


If you want to migra te your data, see |Chapter 5, "Migration from previous 


releases", on page 29| before beginning the installation process for IBM Tivoli 


Directory Server 5.2. 


Attention: If you have SecureWay Directory Version 3.1.1.5, 3.2, or 3.2.1 currently 
installed and you want to migrate your data, you must Upgrade to level 3.2.2 
before installing IBM Tivoli Directory Server 5.2. You can download SecureWay 

Directory version 3.2.2 from the IBM Directory Web page at _ 

http: / / www.ibm.com / software/tivoli/products / directory-server / 


See the SecureWay Directory version 3.2.2 documentation for information about 
migrating from version 3.1.1.5. 


Before you install: zip, tar, and iso files 

The IBM Tivoli Directory Server product is available in three file formats: zip, tar, 
and iso. 

If you downloaded a zipped file, use a product such as PKZIP to unzip the file 
after you download it to your Computer. 

The tar file is a Tape ARchive type of file. After you download a tar file, untar it. 

The iso version of the product is used to burn an installation CD-ROM that can 
then be used in the installation process. The iso file is an image that must be 
processed through a CD-ROM burner program to create the CD-ROM. When you 
create the CD-ROM, be sure that you do not make a data CD of the iso file. Select 
the Option that unencapsulates the data from the iso file and burns the files on the 
CD-ROM. 

After you process the downloaded file, you can install IBM Tivoli Directory Server 
using the installation instructions in the appropriate installation chapter. 
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Installation 


When you install IBM Tivoli Directory Server, you can install either the dient or 
the Server, which requires the dient. 


In addition, you can install the Web Administration Tool on an application Server, 
with or without the Server or the dient. You can use the Web Administration Tool 
to administer IBM Tivoli Directory Server Servers either locally or remotely. You 
can install a single Web Administration console to manage multiple IBM Tivoli 
Directory Server Servers. (You can manage Servers from previous releases, 
incl uding SecureWav Directory 3.2.x and IBM Directory Server v ersion 4.1 and 5.1. 
See "Requirements for the Web Administration Tool" on page 26 for a complete list 


of Servers that can be managed.) 


IBM Tivoli Directory Server 5.2 has several installation options. You can install 
using an InstallShield graphical user interface (GUI) or use platform-specific 
installation methods such as the command line or installation tools for the 
operating System. Instructions for using the InstallShield GUI a re found in 
Chapter 6, "Installing using the InstallShield GUI", on page 49 


For platform-specific installation instructions, see the in stallation chapter for the 


platform for which vou are installing. For example, see 

Chapter 7, "Installing IBM 

Tivoli Directory Server using AIX Utilities", on page 57 



Note: Only native installation methods are available for HP-UX; iSeries, pSeries, 
and zSeries Linux operating Systems; and AIX 4.3.3 (dient only). 


See 


requirements. 


Chapter 4, "System requirements", on page 13 


for hardware and Software 


Configuration 

You can use either the Configuration Tool (ldapxcfg), which has a GUI, or the 
ldapcfg command-line utility to configure the Server. To unconfigure the Server, 
you can use ldapxcfg or the ldapucfg command-line utility. 

After successful installation of the Server, if you used the InstallShield GUI to 
install, the Configuration Tool runs. (This is true for all platforms on which the 
InstallShield GUI is supported.) If you did not use the InstallShield GUI to install, 
you must run the Configuration Tool or use ldapcfg. You must perform the 
following configuration tasks betöre you can use the Server: 

• Set the IBM Tivoli Directory Server administrator distinguished name (DN) and 
password. This Operation can be compared to defining the root user ID and 
password on a UNIX System. 


Configure the database. ( 
database owner first. See 

3e sure that vou have created the user ID for the 

"Betöre vou configure: creating the DB2 database 

owner and database instance owner" on page 85 

for detailed information.) 


The ldapxcfg program can be used for the following tasks: 

• Setting or changing the IBM Tivoli Directory Server administrator distinguished 
name (DN) and password 

• Configuring and unconfiguring the database 

• Enabling and disabling the changelog 

• Adding or removing Suffixes 
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• Adding Schema files to or removing Schema files from the list of Schema files to 
be loaded at startup 

• Importing and exporting LDAP Data Interchange Format (LDIF) data 

• Backing up, restoring, and optimizing the database 

If you prefer to use the command line, all the tasks in the list can be done with a 
combination of command line Utilities, including ldapcfg, ldapucfg, dbback, 
dbrestore, runstats, bulkload, ldif2db, and db2ldif. 


You can find in formation about ldapxcfg, ldapcfg, ldapu cfg, dbback, db restore, 
and runstats in Chapter 12, "Configuration", on page 83|and Chapter 14, 


Unconfiguring the database and uninstalling IBM Tivoli Directory Server", on 


page 99 
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Chapter 4. System requirements 


To install the IBM Tivoli Directory Server packages, administer the Server, and use 
the Global Security Kit (GSKit), your Computer must meet the minimum System 
requirements as outlined in this chapter. 


Requirements for the dient 

The following sections show System requirements for the IBM Tivoli Directory 
Server dient. 

Windows operating Systems dient requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated information about supported versions of Windows operating Systems. 
The file name is client.txt. The file is in the root directory of the CD or the 
directory where you unzipped the dient package. After installing, the dient 
Readme file is located in the installpath\doc\lang directory in files client.txt, 
client.pdf, and client.htm, where: 

• lang is the locale you chose when you installed IBM Tivoli Directory Server. 

• installpath is the location where the IBM Tivoli Directory Server dient is 
installed. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute information. (See |" Accessing publications online" on page viii| for 


information about accessing online publications.) 


The following hardware and Software are required for the Windows dient: 

Operating System 

The dient is supported on the following Windows operating System 
platforms: 

• Microsoft Windows 2000 

• Windows XP 

• Windows Server 2003 Standard or Enterprise 

• Windows NT® 4.0 with Service Pack 6 or higher 

Memory 

A minimum of 128 MB RAM is required. (For better results, use 256 MB or 
more.) 

Disk space 

If you plan to use the InstallShield GUI to install, be sure that you have at 
least 100 MB of free space in the directory specified by the TEMP 
environment variable. 

Other Software 

To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 

AIX operating System dient requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated information about supported versions of the AIX operating System. 
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The file name is client.txt. The file is in the root directory of the CD or the 
directory where you untarred the client package. After installing, the dient Readme 
file is located in the /usr/1dap/doc//fl ng directory in files client.txt, client.pdf, and 
client.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute information. (See "Accessing publications online" on page viii 


information about accessing online publications.) 


for 


The following hardware and Software are required for the AIX client: 

Operating System 

The client is supported on the following versions of AIX: 

• AIX 4.3.3 

• AIX 5.1 

• AIX 5.2 


Note: The client is 32-bit. 

Memory 

A minimum of 128 MB RAM is required. (For better results, use 256 MB or 
more.) 

Disk space 

If you plan to use the InstallShield GUI to install, be sure that you have at 
least 100 MB of free space in the /var directory and at least 200 MB in the 
/tmp directory. 

Note: The InstallShield GUI is not available on AIX 4.3.3. 

Other Software 

• The Korn shell is required. 

• For AIX 4.3.3 you must install AIX Maintenance Level 8 or higher. On 
AIX 5.1, you must install AIX Maintenance Level 4 or higher. On AIX 

5.2, you must install AIX Maintenance Level 1 or higher. 

Note: If you have no locale-specific requirements, after you apply all the 
Services that you need for your System, restart your System to 
enable the changes. 

• The bos.loc.iso.ZFI_TW fileset must be installed for the Taiwan locale. 

The fileset is available from the AIX 4.3.3 installation medium. 

• The xlC.rte 6.0.0.0 or later fileset is required for GSKit 7a on AIX 5.1 and 

5.2. 

• The xlC.aix43.rte 6.0.0.0 or later fileset is required for GSKit 7a on AIX 
4.3.3. 

• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 

xSeries Linux operating System client requirements 

Betöre installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated information about supported versions of the Linux operating System. 
The file name is client.txt. The file is in the root directory of the CD or the 
directory where you untarred the client package. After installing, the client Readme 
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file is located in the /usr/ldap/doc /lang directory in files client.txt, client.pdf, and 
client.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute information. (See "Accessing publications online" on page viii 


information about accessing online publications.) 


for 


The following hardware and Software are required for the xSeries Linux dient: 

Operating System 

The dient is supported on the following versions of xSeries Linux: 

• Red Hat Enterprise Linux 3.0 

• UnitedLinux 1.0 

• SuSE Linux Enterprise Server 8 

Memory 

A minimum of 128 MB RAM is required. (For better results, use 256 MB or 
more.) 

Disk space 

If you plan to use the InstallShield GUI to install, be sure that you have at 
least 100 MB of free space in the /var directory and at least 200 MB in the 
/tmp directory. 

Other Software 

• The Korn shell is required. 

• To use GSKit, the IBM JRE or JDI< 1.4.1 or an equivalent JRE or JDK is 
required. 

zSeries Linux operating System dient requirements 

Betöre installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated information about supported versions of the zSeries Linux operating 
System. The file name is client.txt. The file is in the root directory of the CD or the 
directory where you untarred the dient package. After installing, the dient Readme 
file is located in the /usr/ldap/doc/Uny directory in files client.txt, client.pdf, and 
client.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute information. (See "Accessing publications online" on page viii for 


information about accessing online publications.) 


The following hardware and Software are required for the zSeries Linux dient: 

Operating System 

The dient is supported on the following versions of zSeries Linux: 

• Red Hat Enterprise Linux 3.0 

• SuSE Linux Enterprise Server 8 

Memory 

A minimum of 128 MB RAM is required. (For better results, use 256 MB or 
more.) 


Other Software 

• The Korn shell is required. 
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• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 

iSeries and pSeries Linux operating System dient 
requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated Information about supported versions of the iSeries or pSeries Linux 
operating System. The file name is client.txt. The file is in the root directory of the 
CD or the directory where you untarred the dient package. After installing, the 
dient Readme file is located in the / u sr/1 dap / d oc / lang directory in files client.txt, 
client.pdf, and client.htm, where lang is the locale you chose when you installed 
IBM Tivoli Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute Information. (See 


' Accessing publications online" on page viii for 


Information about accessing online publications.) 


The following hardware and Software are required for the iSeries and pSeries for 
Linux clients: 

Operating system 

The dient is supported on the following versions of iSeries and pSeries for 
Linux: 

• Red Hat Enterprise Linux 3.0 

• UnitedLinux 1.0 

• SuSE Linux Enterprise Server 8 

Memory 

A minimum of 128 MB RAM is required. (Eor better results, use 256 MB or 
more.) 

Other Software 

• The Korn shell is required. 

• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 

Solaris operating System dient requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated Information about supported versions of the Solaris operating System. 
The file name is client.txt. The file is in the root directory of the CD or the 
directory where you untarred the dient package. After installing, the dient Readme 
file is located in the /opt/IBMIdaps/doc/ lang directory in files client.txt, client.pdf, 
and client.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute Information. (See "Accessing publications online" on page viii 


Information about accessing online publications.) 


for 


The following hardware and Software are required for the Solaris dient: 

Operating system 

The dient is supported on the following versions of Solaris: 

• Solaris Operating Environment Software versions 7, 8, or 9 
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Memory 

A minimum of 128 MB RAM is required. (For better results, use 256 MB or 
more.) 


Disk space 

If you plan to use the InstallShield GUI to install, be sure that you have at 
least 100 MB of free space in the /var directory and at least 200 MB in the 
/tmp directory. 


Other Software 


• The Korn shell is required. 

• Ensure that the code page conversion routines (en_US.UTF-8 1.0) are 
installed. 


If you plan to use the InstallShield GUI to install, patches are required 
for the Java 2 Runtime Environment, v. 1.4.1. 

To obtain patches, see the SunSolve Support Web site at: 


http://sunsolve.sun.com/pub-cgi/show.pl7target-patches/J2SE 


Also see |http:/ /ja va.sun.com /j2se/1.3/font-rcquircmcnts.html| for 
information about which tont packages should be on your System. 
To use GSKit, the following are required: 


- On Solaris 7, the following patches are required for the gsk runtime 
and SDK 2: 106950-22, 106327-18, 106300-19, 107834-04, 107544-03, 
106541-24, and 106980-22. 


- On Solaris 8, the following patches are required for the gsk runtime: 
108434-02 111327-02, 108991, 108827 and 108528 For gsk SDK 2 : 
109505-08, 109508-04, 109510-03, and 109513-05. 

- On Solaris 9, the following patches are required for the gsk runtime: 
108434-02 111327-02, 108991, 108827 and 108528. The following 
patches are required for the gsk SDK 2: 109505-08, 109508-04, 
109510-03, and 109513-05. 

- IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is required. 


Hewlett-Packard UNIX (HP-UX) operating System dient 
requirements 

Betöre installing, see the IBM Tivoli Directory Server Version 5.2 Client Readme for 
any updated information about supported versions of the HP-UX operating 
System. The file name is client.txt. The file is in the root directory of the CD or the 
directory where you untarred the dient package. After installing, the dient Readme 
file is located in the /usr/IBMldap/doc/Uny directory in files client.txt, client.pdf, 
and client.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute information. (See 


' Accessing publications online" on page viii for 


information about accessing online publications.) 


The following hardware and Software are required for the HP-UX dient: 

Operating System 

The dient is supported on HP-UX 11 or lli with the following patches: 

• December 2001 GOLDBASElli bündle 

• December 2001 GOLDAPPSlli bündle 

• Patch PHSS_26560 
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Memory 

A minimum of 128 MB RAM is required. (For better results, use 256 MB or 
more.) 

Other Software 

• The Korn shell is required. 

• To use GSKit, HP-UX Runtime Environment for the Java 2 Platform 
Version 1.4.1. is required. 

• To use GSKit, the following patches are required: 

- For HP-UX 11, patches 108434-02 111327-02, 108991, 108827 and 
108528 are required for the gsk runtime; patches 109505-08, 109508-04, 
109510-03, and 109513-05 are required for the gsk SDK. 

- For HP-UX lli, patch PHSS_26946 is required for the gsk runtime. 


Requirements for the Server (including the dient) 

The following sections show System requirements for installing and using the 
Server. These requirements include the dient requirements. 

Windows operating Systems Server requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated information about supported versions of the Windows operating 
System. The Readme file is in the root directory of the CD or the directory where 
you unzipped the Server package. After installing, the Readme file is located in the 
installpath\doc\lang directory in files server.txt, server.pdf, and server.htm, where: 

• installpath is the location where IBM Tivoli Directory Server is installed. 

• lang is the locale you chose when you installed IBM Tivoli Directory Server. For 
example, for United States English the locale is en_US. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute information. (See "Accessing publications online" on page viii for 


information about accessing online publications.) 


The following hardware and Software are required for the Windows Server: 

Operating System 

The Server is supported on the following versions of Windows: 

• Windows 2000 

• Windows Server 2003, Standard or Enterprise 

• Windows NT 4.0 with Service Pack 6 or later; a Windows NT file System 
(NTFS) is required for security support. 

Memory 

A minimum of 256 MB RAM is required. (For better results, use 512 MB or 

more.) 

Disk space 

• If you plan to use the InstallShield GUI to install, be sure that you have 
at least 100 MB of free space in the directory specified by the TEMP 
environment variable. 

• If you already have DB2 installed, you need approximately 25 MB of 
disk space to create the empty database and start the Server. (DB2 
requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 110 MB. 
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Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on Windows Systems. Also allow another 2 to 3 MB of disk space when 
creating the DB2 instance. See the IBM Tivoli Directory Server Version 5.2 
Server Readme file and the IBM Tivoli Directory Server Version 5.2 Readme 
Addendum for any last minute changes to da tabase requirements. (See 


'Accessing publications online" on page viii 


accessing online publications.) 


for information about 


Other Software 


• The minimum supported level of DB2 is DB2 Version 7.2 with FixPak 5 
or later. DB2 Version 8.1 Enterprise Server Edition with FixPak 2 is 
included with IBM Tivoli Directory Server and is installed if a supported 
version of DB2 is not detected on your System. If you have a version of 
DB2 earlier than Version 7.2 with FixPak 5 installed on your System, you 
must remove it or Upgrade it before installing IBM Tivoli Directory 
Server version 5.2. 


Attention: If you have a version of Sec ureWay Directory installed, r ead 


and understand the migration process in |Chapter 5, "Migration from 


previous releases", on page 29| before removing or upgrading DB2. If you 


remove DB2 before migrating, you will lose your data. 

To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 


AIX operating System Server requirements 

Betöre installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated information about supported versions of the AIX operating System. 
The file name is server.txt. The file is in the root directory of the CD or the 
directory where you untarred the Server package. After installing, the Readme file 
is located in the /usr/ldap/doc/kz«y directory in files server.txt, server.pdf, and 
server.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute information. (See "Accessing publications online" on page viii for 


information about accessing online publications.) 


The following hardware and Software are required for the AIX Server: 

Operating System 

The Server is supported on the following versions of AIX: 

• AIX 5.1 

• AIX 5.2 


Note: The Server is not supported on AIX 4.3.3. 

Memory 

A minimum of 512 MB RAM is required. (For better results, use 1 GB or 

more.) 

Disk space 

• If you plan to use the InstallShield GUI to install, be sure that you have 
at least 100 MB of free space in the /var directory and at least 400 MB in 
the /tmp directory. 

• If you already have DB2 installed, you need approximately 30 MB of 
disk space to create the empty database and start the Server. (DB2 
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requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 160 MB. 


Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on UNIX Systems. Also, ensure that there is approximately another 4 MB 
of disk space in the home directory of the user who will own the 
database to create the DB2 instance. (Normally, this directory is /home, 
but you can specify another directory if you do not have enough spa ce 


in the /home directory. See "Betöre you configure: creating the DB2 


database owner and database instance owner" on page 85 


for more 


information.) See the IBM Tivoli Directory Server Version 5.2 Server Readme 
file and the IBM Tivoli Directory Server Version 5.2 Read me Addendum for 


any last minute changes to datab ase requirements. (See "Accessing 


publications.) 


publications online" on page viii for information about accessing online 


Other hardware 

You must be running on 64-bit hardware. See 


'Verifying that AIX hardware 


is 64-bit" on page 115 for information about detecting whether your 


hardware is 64-bit. 


Other Software 

• You must be running a 64-bit kernel. See 


'Verifying that the AIX kernel 


is 64-bit" on page 115 for information about detecting whether you are 


running a 64-bit kernel. 


• The Korn shell is required. 

• On AIX 5.1, you must install AIX Maintenance Level 4 or higher. On AIX 
5.2, you must install AIX Maintenance Level 1 or higher. 


Note: If you have no locale-specific requirements, after you apply all the 
Services that you need for your System, restart your System to 
enable the changes. 

• The xlC.aix50.rte 6.0.0.0 or later fileset is required for GSKit 7a. 

• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 


Other 


Be sure that asynchronous I/O is turned on. See "Error on AIX 5.1 when 


running db2start" on page 115 for information. 


• DB2 Universal Database for AIX version 8.1 Enterprise Server Edition with 
FixPak 2 (DB2) is included with the IBM Tivoli Directory Server. For AIX, no 
previous versions of DB2 are supported. 


Notes: 


1 . 


2 . 


If you have SecureWay Directory Version 3.1.1.5, 3.2, 3.2.1, or 3.2.2, or IBM 
Directory Server 4.1 or 5.1 installed, read and understand the migrati on 
process in 


Chapter 5, "Migration from previous releases", on page 29 


removing or upgrading DB2. 


betöre 


If you are upgrading your level of DB2, ensure that you follow the DB2 
migration procedure, which requires you to stop all applications. If you have 
a Server up and running and you uninstall DB2 without reinstalling the IBM 
Tivoli Directory Server, the directory Server cannot start. 


xSeries Linux operating System Server requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated information about supported versions of Linux. The file name is 
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server.txt. The file is in the root directory of the CD or the directory where you 
untarred the Server package. After installing, the Server Readme file is located in 
the /usr/ldap/doc/kmg directory in files server.txt, server.pdf, and server.htm, 
where lang is the locale you chose when you installed IBM Tivoli Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute information. (See "Accessing publications online" on page viii 


information about accessing online publications.) 


for 


The following hardware and Software are required for the xSeries Linux Server: 

Operating System 

The Server is supported on the following versions of xSeries Linux: 

• UnitedLinux 1.0 (including SP2) 

• SuSE Linux Enterprise Server 8 

• Red Hat Enterprise Linux 3.0 
Memory 

A minimum of 256 MB RAM is required. (For better results, use 512 MB or 
more.) 


Disk space 


• If you plan to use the InstallShield GUI to install, be sure that you have 
at least 100 MB of free space in the /var directory and at least 400 MB in 
the /tmp directory. 

• If you already have DB2 installed, you need approximately 30 MB of 
disk space to create the empty database and start the Server. (DB2 
requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 160 MB. 


Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on UNIX Systems. Also allow approximately another 4 MB of disk space 
in the home directory of the user who will own the database to create 
the DB2 instance. (Normally, this directory is /home, but you can 
specify anoth er directory if you do not have enough space in the /hom e 
directory. See "Betöre you configure: creating the DB2 database owner 


and database instance owner" on page 85 for more information.) See the 
IBM Tivoli Directory Server Version 5.2 Server Readme file and the IBM 
Tivoli Directory Server Version 5.2 Readm e Addendum for any last minute 


changes to d atabase requirements. (See "Accessing publications online 


on page viii for information about accessing online publications.) 


Other Software 


• The Korn shell is required. 

• DB2 Universal Database for Linux version 8.1 Enterprise Server Edition 
with FixPak 2 (DB2) is included with the IBM Tivoli Directory Server, 
although DB2 version 7.2 with FixPak 5 or higher is also supported. 


Attention: If you have SecureWay Directory Version 3.1.1.5, 3.2, 3.2.1, 
or 3.2.2, or IBM Directory Server 4.1 or 5.1 installed, read and 


understand the migration proc ess in Chapter 5, "Migration from 


previous releases", on page 29 betöre removing or upgrading DB2. If you 


remove DB2 betöre migrating, you will lose your data. 


• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 
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zSeries Linux operating System Server requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated information about supported versions of zSeries Linux. The file name 
is server.txt. The file is in the root directory of the CD or the directory where you 
untarred the Server package. After installing, the Server Readme file is located in 
the /usr/ldap/doc//flHg directory in files server.txt, server.pdf, and server.htm, 
where lang is the locale you chose when you installed IBM Tivoli Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute information. (See 


'Accessing publications online" on page viii for 


information about accessing online publications.) 


The following hardware and Software are required for the zSeries Linux Server: 

Operating System 

The Server is supported on the following versions of zSeries Linux: 

• SuSE Linux Enterprise Server 8 

• Red Hat Enterprise Server 3.0 

Memory 

A minimum of 256 MB RAM is required. (For better results, use 512 MB or 
more.) 


Disk space 


If you already have DB2 installed, you need approximately 30 MB of 
disk space to create the empty database and start the Server. (DB2 
requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 160 MB. 

Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on UNIX Systems. Also allow approximately another 4 MB of disk space 
in the home directory of the user who will own the database to create 
the DB2 instance. (Normally, this directory is /home, but you can 
specify anoth er directory if you do not have enough space in the /hom e 
directory. See "Before you configure: creating the DB2 database owner 


and database instance owner" on page 85 for more information.) See the 
IBM Tivoli Directory Server Version 5.2 Server Readme file and the IBM 
Tivoli Directory Server Version 5.2 Readm e Addendum for any last minute 


changes to d atabase requirements. (See "Accessing publications online 


on page viii for information about accessing online publications.) 


Other Software 


• The Korn shell is required. 

• DB2 Universal Database for Linux version 8.1 Enterprise Server Edition 
with FixPak 2 (DB2) is included with the IBM Tivoli Directory Server, 
although DB2 version 7.2 with FixPak 5 or higher is also supported. 


Attention: If you have SecureWay Directory Version 3.1.1.5, 3.2, 3.2.1, 
or 3.2.2, or IBM Directory Server 4.1 or 5.1 installed, read and 


understand the migration proc ess in Chapter 5, "Migration from 


previous releases", on page 29 before removing or upgrading DB2. If you 


remove DB2 before migrating, you will lose your data. 


• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 
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iSeries and pSeries Linux operating System Server 
requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated information about supported versions of iSeries and pSeries Linux. 
The file name is server.txt. The file is in the root directory of the CD or the 
directory where you untarred the Server package. After installing, the Server 
Readme file is located in the /usr/ldap/doc/Zang directory in files server.txt, 
server.pdf, and server.htm, where lang is the locale you chose when you installed 
IBM Tivoli Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute information. (See "Accessing publications online" on page viii for 


information about accessing online publications.) 


The following hardware and Software are required for the iSeries and pSeries 
Linux Servers: 


Operating System 

The Server is supported on the following versions of iSeries and pSeries 
Linux: 

• Red Hat Enterprise Server 3.0 

• SuSE Linux Enterprise Server 8. 

Memory 

A minimum of 256 MB RAM is required. (For better results, use 512 MB or 
more.) 


Disk space 


If you already have DB2 installed, you need approximately 30 MB of 
disk space to create the empty database and start the Server. (DB2 
requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 160 MB. 

Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on UNIX Systems. Also allow approximately another 4 MB of disk space 
in the home directory of the user who will own the database to create 
the DB2 instance. (Normally, this directory is /home, but you can 
specify anoth er directory if you do not have enough space in the /hom e 
directory. See "Before you configure: creating the DB2 database owner 


and database instance owner" on page 85 for more information.) See the 
IBM Tivoli Directory Server Version 5.2 Server Readme file and the IBM 
Tivoli Directory Server Version 5.2 Readm e Addendum for any last minute 


changes to d atabase requirements. (See "Accessing publications online 


on page viii for information about accessing online publications.) 


Other Software 


• The Korn shell is required. 

• DB2 Universal Database for Linux version 8.1 Enterprise Server Edition 
with FixPak 2 (DB2) is included with the IBM Tivoli Directory Server, 
although DB2 version 7.2 with FixPak 5 or higher is also supported. 


Attention: If you have IBM Directory Server 5.1 for Linux iSeries and 
pSeries installed, read and understand the migration proce ss in 


Chapter 5, "Migration from previous releases", on page 29 


before 


removing or upgrading DB2. If you remove DB2 before migrating, you 
will lose your data. 
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• To use GSKit, the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is 
required. 

Solaris operating System Server requirements 

Before installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated Information about supported versions of Solaris. The file name is 
server.txt. The file is in the root directory of the CD or the directory where you 
untarred the Server package. After installing, the Server Readme file is located in 
the /opt/IBMIdaps/doc/ lang directory in files server.txt, server.pdf, and 
server.htm, where lang is the locale you chose when you installed IBM Tivoli 
Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 
last-minute Information. (See "Accessing publications online" on page viii 


Information about accessing online publications.) 


for 


The following hardware and Software are required for the Solaris Server: 

Operating System 

The Server is supported on the following versions of Solaris: 

• Solaris Operating Environment Software versions 8 or 9 


Memory 

A minimum of 256 MB RAM is required. (For better results, use 512 MB.) 


Disk space 


• If you plan to use the InstallShield GUI to install, be sure that you have 
at least 100 MB of free space in the /var directory and at least 400 MB in 
the /tmp directory. 

• If you already have DB2 installed, you need approximately 30 MB of 
disk space to create the empty database and start the Server. (DB2 
requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 160 MB. 


Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on UNIX Systems. Also allow approximately another 4 MB of disk space 
in the home directory of the user who will own the database to create 
the DB2 instance. (Normally, this directory is /home, but you can 
specify anoth er directory if you do not have enough space in the /hom e 
directory. See "Before you configure: creating the DB2 database owner 


and database instance owner" on page 85 for more Information.) See the 
IBM Tivoli Directory Server Version 5.2 Server Readme file and the IBM 
Tivoli Directory Server Version 5.2 Readm e Addendum for any last minute 


changes to d atabase requirements. (See "Accessing publications online 


on page viii for Information about accessing online publications.) 


Other Software 


• The Korn shell is required. 

• Ensure that the code page conversion routines (en_US.UTF-8 1.0) are 
installed. 

• In addition, if you plan to use the InstallShield GUI to install or the 
Configuration Tool for configuration, patches are required for the Java 2 
Runtime Environment, v. 1.4.1. 

To obtain patches, see the SunSolve support Web site at: 

http: / / sunsolve. sun.com / pub-cgi / show.pl?target=patches / J2SE 
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Also see http://java.sun.eom/j2se/l.3/font-requirements.html for 
Information about which font packages should be on your System. 

DB2 Universal Database for Solaris version 8.1 Enterprise Server Edition 
with FixPak 2 (DB2) is included with the IBM Tivoli Directory Server, 
although DB2 version 7.2 with FixPak 5 or higher is also supported. 
Attention: If you have SecureWay Directory Version 3.1.1.5, 3.2, 3.2.1, 
or 3.2.2, or IBM Directory Server 4.1 or 5.1 installed, read and 


understand the migration proc ess in Chapter 5, "Migration from 


previous releases", on page 29 betöre removing or upgrading DB2. If you 
remove DB2 before migrating, you will lose your data. 

If you use DB2 8.1, the following patches are required: 

- On Solaris 8 (32-bit): "Recommended & Security Patches" + 108921-12 
+ 108940-24 + 108434-03 and 108528-12 

- On Solaris 8 (64-bit): "Recommended & Security Patches" + 108921-12 
+ 108940-24 + 108435-03 and 108528-12 


"Recommended & Securit y Patches" can be obtained from the 
http:// sunsolve.Sun.com Web site. On the SunSolve Online Web site, 
click the Patches menu item in the left-hand panel and select 
Recommended & Security Patches from the Browse & Download 
Patches section. 


The T2SE Solaris Patch Clusters are also required. They can be obtained 
from the http://sunsolve.Sun.com Web site. From the SunSolve Online 
Web site, click on the Patches menu item in the left-hand panel and 
select Recommended & Security Patches from the Browse & Download 
Patches section. 


The SUNWlibC Software is required to install DB2 on Solaris. 

You will need a Java Runtime Environment (JRE) to run the DB2 
Java-based tools, such as the Control Center, and to create and run Java 
applications, including stored procedures and user-defined functions. 
Düring the Installation process, if the correct level of the JRE is not 
already installed, it will be installed. 

A browser is required to view online help. 

• To use GSKit, the following are required: 

- On Solaris 8, the following patches are required for the gsk runtime: 
108434-02 111327-02, 108991, 108827 and 108528 For gsk SDK 2 : 
109505-08, 109508-04, 109510-03, and 109513-05. 

- On Solaris 9, the following patches are required for the gsk runtime: 
108434-02 111327-02, 108991, 108827 and 108528. The following 
patches are required for the gsk SDK 2: 109505-08, 109508-04, 
109510-03, and 109513-05. 

- The IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK is required. 

HP-UX operating System Server requirements 

Betöre installing, see the IBM Tivoli Directory Server Version 5.2 Server Readme for 
any updated information about supported versions of HP-UX. The file name is 
server.txt. The file is in the root directory of the CD or the directory where you 
untarred the Server package. After installing, the Server Readme is located in the 
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/usr/IBMldap/doc/ lang directory in files server.txt , server.pdf, and server.htm, 
where lang is the locale you chose when you installed IBM Tivoli Directory Server. 


Also see the IBM Tivoli Direct ory Server Version 5.2 Readme Addendum for 


last-minute Information. (See "Accessing publications online" on page viii for 


information about accessing online publications.) 

The following hardware and Software are required for the HP-UX Server: 

Operating System 

The Server is supported on HP-UX lli with the following patches: 

• December 2001 GOLDBASElli bündle 

• December 2001 GOLDAPPSlli bündle 

• patch PHSS_26560 

Memory 

A minimum of 512 MB RAM is required. 

Disk space 

• If you already have DB2 installed, you need approximately 30 MB of 
disk space to create the empty database and start the Server. (DB2 
requires about 300-500 MB of disk space.) IBM Tivoli Directory Server 
(including the dient and the Server) requires about 160 MB. 

• Disk space required for data storage is dependent upon the number and 
size of database entries. Allow a minimum of 80 MB for your database 
on UNIX Systems. Also, ensure that there is approximately another 4 MB 
of disk space in the home directory of the user who will own the 
database to create the DB2 instance. (Normally, this directory is /home, 
but you can specify another directory if you do not have enough spa ce 
in the /home directory. See "Before you configure: creating the DB2 


database owner and database instance owner" on page 85 for more 
information.) See the IBM Tivoli Directory Server Version 5.2 Server Readme 
file and the IBM Tivoli Directory Server Version 5.2 Read me Addendum for 


any last minute changes to datab ase requirements. (See "Accessing 


publications online" on page viii for information about accessing online 


publications.) 


Other Software 


The Korn shell is required. 

HP-UX Runtime Environment for the Java 2 Platform Version 1.4.1. is 
required for the Configuration Tool and for GSKit. Go to 


http://www.hp.com/go/java to download Java. 


To use GSKit, Patch PHSS_26946 is required for the gsk runtime. 
Set the current kernel configuration paramete rs. See 


kernel configuration parameters" on page 73 for the required parameters 


'Setting the current 


DB2 Universal Database for AIX version 8.1 Enterprise Server Edition 
with FixPak 2 (DB2) is included with the IBM Tivoli Directory Server, 
although DB2 version 7.2 with FixPak 5 or higher is also supported. 


Requirements for the Web Administration Tool 

You can install the Web Administration Tool on a Computer with or without the 
dient or the Server. The Web Administration Tool can be used to administer LDAP 
Servers of the following types: 

• IBM Tivoli Directory Server 5.2 
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• IBM Directory Server 5.1 

• IBM Directory Server 4.1 

• IBM SecureWay Directory 3.2.2 

• OS/400 V5R3 

• z/OSR4 

Note: For z/OS R4, only the following setups are supported: 

- A single TDBM backend 

- A single SDBM backend 

- One TDBM and SDBM backend 


The Web Administration Tool is supported on the following operating System 
platforms: 

Windows platforms: 

• Windows NT 4.0 

• Windows 2000 

• Windows XP 

• Windows Server 2003 Standard, Enterprise 

AIX platforms: 

AIX 4.3.3, 5.1, or 5.2 

xSeries Linux platforms: 

• UnitedLinux 1.0 

• SuSE Linux Enterprise Server 7 or 8 

• Red Hat Advanced Server 2.1 

• Red Hat Enterprise Linux 3.0 

zSeries Linux platforms: 

• Red Hat Advanced Server 3.0 

• SuSE Linux Enterprise Server 8.0 

iSeries and pSeries Linux platforms: 

• UnitedLinux 1.0 

• SuSE Linux Enterprise Server 8.0 

• Red Hat Advanced Server 3.0 

Solaris platforms: 

• Solaris 7, 8, or 9 

HP-UX platforms: 

HPUX 11 or lli 


To use the Web Administration Tool, you also need the following: 

• One of the following application Servers: 

- The embedded version of WebSphere Application Server - Express V5.0 or 
later. Version 5.0.2 is Provided with IBM Tivoli Directory Server 5.2. (iSeries 
Linux, pSeries Linux, and HP-UX require version 5.0.2.) If you ha ye version 
5.0, which was provided with IBM Directory Server, installed, see "Migrating 


the Web Administration Tool and upgrading the embedded version of 


WebSphere Application Server - Express" on page 43 
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- IBM WebSphere® 5.0 or later. (iSeries Linux, pSeries Linux, and HP-UX 
require version 5.0.2.) 

• One of the following Web browsers on the Computer from which you will use 
the Web Administration Tool. (This might or might not be the Computer where 
the Web Administration Tool is installed): 

On Windows platforms 

Microsoft Internet Explorer version 6.0 

On AIX 

Mozilla 1.3 or 1.4 

On xSeries Linux 

Mozilla 1.3 or 1.4 

On iSeries, pSeries, zSeries Linux 

No browser support is available. 

On Solaris 7, 8, or 9 

Mozilla 1.3 or 1.4 

On HP-UX 

Mozilla 1.3 or 1.4 


Secure Sockets Layer (SSL) Global Security Kit (GSKit) 

Global Security Kit (GSKit) version 7a is an optional Software package that is 
required only if Secure Sockets Layer (SSL) Security or Transport Layer Security 
(TLS) is required. 

IBM Tivoli Directory Server 5.2 alone does not provide the capability for SSL 
connections from IBM Tivoli Directory Server clients. You can enable the SSL 
feature by installing the IBM GSKit 7a package. The GSKit package includes SSL 
support and associated RSA Data Security, Inc. (4) technology. 

OpenSSL is included in GSKit and may be used for cryptographic operations (as 
per the OpenSSL license requirements). 

The IBM Tivoli Directory Server Server can work without the GSKit installed. In 
this case the Server accepts only non-secure connections from any Directory dient. 
Similarly, the IBM Tivoli Directory Server dient can work without the GSKit 
installed. Install GSKit on both the Server and the dient if you want to use secure 
connections. 


See Appendix I, "Setting up GSKit to support CMS key databases", on page 139 for 


more information about setting up GSKit after Installation. 
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Chapter 5. Migration from previous releases 


Migrating is necessary to preserve any changes that you have made to the Schema 
definitions and to preserve your data and directory Server configuration. Use the 
procedures in this chapter when you are migrating an existing directory Server on 
the same physical Computer from a version of SecureWay Directory or IBM 
Directory Server. 


If your installation includes replica Servers, r ead the information in Appendix C, 


'Migrating replication Servers", on page 123 before you start migrating any of your 


Servers. 


Note: If you have only a dient installed, migration is generally not necessary. 

However, if you are migrating from a release prior to IBM Directory Server 
4.1 and you have Java applications that use the IBM JNDI JAR files, the JAR 
files will be removed during installation; theref ore, save them before you 
install IBM Tivoli Directory Ser ver 5.2. See step 2 on page 31 for Windows 
platforms or step 2 on page 35 for all UNIX platforms for information. 


Starting with IBM Directory Server 4.1, IBM JNDI is not supported. IBM 
Directory Server 4.1, 5.1, and 5.1 for Linux iSeries and pSeries, and IBM 
Tivoli Directory Server 5.2 include the Sun Microsystems JNDI. See the Sun 
documentation for information about the Sun JNDI. There might be some 
functional differences between IBM and Sun implementations that require 
changes to existing JNDI applications. IBM JNDI applications might still run, 
but for reliable results, begin using the Sun JNDI immediately. 


If you are migrating from SecureWay Directory, see one of the following sections: 


For Windows, see |"Migration from SecureWay Directory Version 3.2.2 for 


Windows InstallShield GUI installations" on page 30 


For AIX, see "Migration from SecureWay Directory Version 3.2.2 for AIX 


installations" on page 33 


For Solaris and Linux, see "Migration from SecureWay Directory Version 3.2.2 


for Solaris and Linux installations" on page 35 


If you are migrating from IBM Directory Server 4.1, 5.1, or 5.1 for Linux iSeries 
and pSeries, see one of the following sections: 


For Windows, see "Migration from IBM Directory Server version 4.1 or 5.1 for 

Windows installations" on page 37 


For AIX, see 

"Migration from IBM Directory Server version 4.1 or 5.1 for AIX 

installations" on page 37 



• For Solaris, Linux, zSeries Linux, iSeries and pSeries Linux, or HP-UX, see _ 

"Migration from IBM Directory Server Version 4.1 or 5.1 for UNIX installations" 
on page 42 


The version of SecureWay Directory you are migrating must be 3.2.2 or higher. If 
you have a SecureWay Directory version that is less than 3.2.2 currently installed, 
you must Upgrade to version 3.2.2 before installing IBM Tivoli Directory Server 5.2. 
You c an download SecureWay Directory version 3.2.2 from the IBM Direc tory Web 


page: |http : / / www. ihm, com / Software / tivoli / products / directory-server / 


© Copyright IBM Corp. 1998, 2003 
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Attention 

In releases before IBM Directory Server 4.1, the LDAP Server uses LDAP as 
its Kerberos Service name to communicate with its dient and the Kerberos 
KDC. (For example, LDAP/ldaphost. austin.ibm.com, where ldaphost is the 
hostname of the Computer where the LDAP Server is located.) For IBM 
Directory Server 4.1 and 5.1 and IBM Tivoli Directory Server 5.2, a lowercase 
Service name is used (for example, ldap/ldaphost.austin.ibm.com). Because of 
this change, an IBM Directory Server 4.1 or 5.1, or IBM Tivoli Directory 
Server 5.2 Server might not be able to start after migrating from a 3.2.2 Server. 
This is because the 4.1, 5.1, or 5.2 Server is looking for ldap in the keytab file 
in which an LDAP Service name was located and used by the previous 3.2.2 
Server. To correct this Situation you can do either of the following: 

• Generate a keytab file by adding a lowercase LDAP Kerberos service name 
and start using the new keytab file to communicate. 

• Set the environment variable LDAP_KRB_SERVICE_NAME to LDAP 
before starting the Server. This environment variable causes the LDAP 
Server to continue using the uppercase LDAP Server service name in the 
keytab file and to communicate with its clients. In the latter case, the 
environment variable must be set on the dient side as well so that the 
dient will continue using the uppercase LDAP service name to 
communicate with its Server. 


The audit log and the change log are not migrated. If you want to preserve your 
audit log and change log settings, record them before proceeding. After you have 
installed IBM Tivoli Directory Server, you can reset the audit log settings through 
the Web Administration Tool and the change log settings through the 
Configuration Tool. Note that there is a new setting for the Audit version, which is 
set by default to 2. You must set the Audit version to 1 if you want to maintain 
your previous audit logging capabilities for any applications that parse the audit 
log. See the IBM Tivoli Directory Server Administration Guide for Information. 

Attention: Run the db2ldif application before uninstalling the 3.2.2 version of 
SecureWay Directory Do not use the DB2BACKUP command. 

Reference your current (pre-IBM Tivoli Directory Server 5.2) documentation for 
instructions for running the db2ldif utility. Databases must not be unconfigured or 
dropped unless they have been backed up using the 3.2.2 version of db2ldif. 
Failure to comply with this results in a complete loss of data. 


Migration from SecureWay Directory Version 3.2.2 for Windows 
InstallShield GUI installations 

If you are upgrading from a 3.2.2 version of SecureWay Directory, and you are 
installing IBM Tivoli Directory Server on a Windows System using the InstallShield 
GUI, the installation automatically completes some migration for you. 

To migrate, use the following procedure: 

Pre-installation steps: 

1. Back up the previous versions of the slapd32.conf and any Schema files from 
the installpath\etc directory to the installpatlA etc \userV52 directory. (You must 
create the installpath\e tc\userV52 directory.) installpath is the directory where 
SecureWay Directory is installed. 
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These include files with the following file extensions: 

• .oc 

• .at 

• .conf 

and the following files: 

• V3.1dapsyntaxes 

• V3.matchingrules 

• V3.modifiedschema 

2. If you have any existing IBM JNDI applications, IBMJNDI.JAR or any 
associated JNDI files, you can save them if you like, although IBM JNDI is no 
longer supported. To save the files: 

• Save files, including any subdirectories, in installpath\]re\bm to 
ins tallpath \ etc \ userV52 \ jre \ bin 

• Save files, including any subdirectories, in instaUpath\]re\\\b to 
msffl//pflf/Aetc\userV52\jre\lib 

JNDI-related files are: 

• Ibmjcefw.jar 

• Ibmjceprovider.jar 

• IBMjgssprovider.jar 

• LocaLpolicy.jar 

• US_export_policy.jar 

• Krb5.ini 

• Ibmjndi.jar 

• Ibmjndi.zip 

3. If you have not done so already: 

a. Export the database using db2ldif: 
db2fdif -o outputfile 

where outputfile specifies the LDIF output file to contain the directory 
entries in LDIF format. 

For more information about the db2ldif command, read the db2ldif 
documentation in the SecureWay Administration Guide for your release betöre 
exporting the database. 

Attention: Do not use the DB2BACKUP command to export your data. If 

you do not export using db2ldif betöre unconfiguring and removing the 
database, you will lose your data. 

b. Unconfigure and remove the database by typing the following at a 
command prompt: 

ldapucfg -d 

c. Type y to confirm the removal. Default LDAP databases and instances are 
automatically removed from the System when the command successfully 
completes. (If your database instance name and your database name are 
both ldapdb2, you have a default database configured.) 

Notes: 

1) If you use a custom database, you must manually remove the DB2 
database from the System. 
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2) Data contained in the SecureWay Directory 3.2.2 database is not 
compatible with IBM Tivoli Directory Server 5.2 unless it is exported 
using the 3.2.2 Version of db2ldif and imported through the bulkload 
utility provided with IBM Tivoli Directory Server 5.2. 

3) The Server will not start if you do not migrate the database. 

4) The changes in the changelog database are not compatible with the new 
data format and cannot be used. The existing changelog settings 
contained in the slapd32.conf file will be migrated to the new 
configuration. 

5) The audit log will not be migrated and must be reconfigured. 

6) If you have a version of DB2 earlier than version 7.2 with FixPak 5, you 
must Upgrade to DB2 7.2 FixPak 5 or later after you have exported the 
database. Altematively, you can remove DB2 after you have exported 
the database and install the version of DB2 provided with IBM Tivoli 
Directory Server. 


Installation steps: 

4. Install IBM Tivoli Directory Server 5.2 using the InstallShield GUI. See 


"Installing IBM Tivoli Directory Server on a Windows platform" on page 50| for 
instructions. The InstallShield GUI automatically migrates the configuration and 
Schema files. 


Notes: 

a. You might be asked if you want to replace some configuration files. Select 
Yes to replace. 

b. If a configured database is detected, you are instructed that additional steps 
must be taken before the installation can continue. The installation program 
lists the steps needed to be taken before the installation can continue. The 
installation program exits after you acknowledge that these steps are 
required. The IBM Tivoli Directory Server installation program repeats this 
action as long as there is an existing database configured. 


Post-installation steps: 

5. After you complete the installation and restart your Computer, the 

Configuration Tool Starts automatically. Use the Configuration Tool to set the 
Administrator DN and password and co nfigure a new LDAP database. See 


Chapter 12, "Configuration", on page 83 for instructions on how to configure 


the LDAP database. 


Note: If you want a change log database, make sure the change log is enabled 
through the Configuration Tool or by using the ldapcfg utility with the 
-g Option. 

6. Use the bulkload utility to import the db2ldif exported data, as follows: 
bulkload -i Idiffile -c -d 

where Idiffile is the name of the input file containing the LDIF data to be loaded 
into the directory 

Note: Read the bulkload documentation in the IBM Tivoli Directory Server 
Version 5.2 Administration Guide for information about command line 
settings that provide additional levels of function. 
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Migration from SecureWay Directory Version 3.2.2 for AIX installations 

The instructions in this section are for AIX installations. For Solaris and L inux, see 
NvhgpadonjTOny^ y Directory Version 3.2.2 for Solaris and Linux 

installations" on page 35 


To migrate an existing directory Server on AIX, use the following procedure: 

Pre-installation steps: 

1. Back up the previous versions of the slapd32.conf and any Schema files from 
the instnll path /etc directory to the instnll path/e tc/userV52 directory. (You must 
create the install path/ etc/userV52 directory.) instnll path is the directory where 
SecureWay Directory is installed. 

These include files with the following file extensions: 

• .oc 

• .at 

• .conf 

and the following files: 

• V3.1dapsyntaxes 

• V3.matchingrules 

• V3.modifiedschema 

2. If you have any existing IBM JNDI applications, IBMJNDI.JAR or any 
associated JNDI files, you can save them if you like, although IBM JNDI is no 
longer supported. To save the files: 

• Save files, including any subdirectories, in installpath\)avaXbir\ to 
mstaZZpaf/z\etc\userV52Yjava\bin 

• Save files, including any subdirectories, in installpath\)ava\lib to 
ins tallpath \ etc \ userV52 \ java \ lib 

JNDI-related files are: 

• Ibmjcefw.jar 

• Ibmjceprovider.jar 

• IBMjgssprovider.jar 

• Local_policy.jar 

• US_export_policy.jar 

• Krb5.ini 

• Ibmjndi.jar 

• Ibmjndi.zip 

3. Export the database using db2ldif, as follows: 
db21 dif -o outputfile 

where outputfile specifies the LDIF output file to contain the directory entries in 
LDIF format. 

For more information about the db2ldif command, read the db2ldif 
documentation in the SecureWay Administration Guide for your release betöre 
exporting the database. 


Attention: Do not use the DB2BACKUP command to export your data. If you 
do not export using db2ldif betöre unconfiguring and removing the database, 
you will lose your data. 


Chapter 5. Migration from previous releases 33 









4. Unconfigure and remove the database by typing the following at a command 
prompt: 

ldapucfg -d 

5. Type y to confirm the removal. Default LDAP databases are automatically 
removed from the System when the command successfully completes. (If your 
database instance name and your database name are both ldapdb2, you have a 
default database configured.) 


Notes: 

a. If you use a custom database, you must manually remove the DB2 database 
from the System. 

b. Data contained in the SecureWay Directory 3.2.2 database is not compatible 
with IBM Tivoli Directory Server 5.2 unless it is exported using db2ldif and 
imported through the bulkload utility provided with IBM Tivoli Directory 
Server 5.2. 

C. The Server will not start if you do not migrate the database. 

d. If you have a version of DB2 earlier than version 8.1 with FixPak 2, you 
must Upgrade to DB2 8.1 FixPak 2 after you have exported the database. 
Alternatively, you can remove DB2 after you have exported the database 
and install the version of DB2 provided with IBM Tivoli Directory Server. 

e. The changes in the change log database are not compatible with the new 
data format and cannot be used. Any entries in the change log will be lost. 
The existing change log settings contained in the slapd32.conf file will be 
migrated to the new configuration. 

f. The audit log will not be migrated and must be reconfigured. 


Installation steps: 

6. Install IBM Tivoli Direct ory Server 5.2 using SMIT. For information, see 


Installation" on page 58 


'SMIT 


Post-installation steps: 


7. Migrate the configuration and Schema by executing the migrate52 script. Type 
the following commands at a command prompt: 

cd installpath/etc 
. ./sbin/migrate52 


Note: You must run the migrate52 script even if you did not modify the 
previous Schema. There are new Schema files and entries in the 
ibmslapd.conf file that are not compatible with previous versions. 


8. Set the Administrator DN and password and configure a new LDAP database 


using th e ldapcfg or ldapxcfg commands. See Chapter 12, "Configuration", on 


page 83 for instructions on how to configure the LDAP database. 


Note: If you want a change log database, make sure the change log is enabled 
through the Configuration Tool or by using the ldapcfg command with 
the -g Option. 

9. Use the bulkload utility to import the db2ldif exported data: 
bulkload -i Idiffile -c -d 


where Idiffile is the name of the input file containing the LDIF data to be loaded 
into the directory. 

Note: Read the bulkload documentation in the IBM Tivoli Directory Server 

Version 5.2 Administration Gidde for command line settings that provide 
additional levels of function. 
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Migration from SecureWay Directory Version 3.2.2 for Solaris and 
Linux installations 


The instructions in this section are for Solaris and Linux. Do not use these 
inst ructions to migrate on an AIX System. If you are migrating on an AIX System , 


see "Migration from SecureWay Directory Version 3.2.2 for AIX installations" on 
page 33 


To migrate an existing directory Server, use the following procedure: 

Pre-installation steps: 

1. Back up the previous versions of the slapd32.conf file and any Schema files 
from the instnllpnth/e tc directory to the instnll path/e tc/userV52 directory. (You 
must create the installpath/e tc/userV52 directory.) installpath is the directory 
where SecureWay Directory is installed. 

These include files with the following file extensions: 

• .oc 

• .at 

• .conf 

and the following files: 

• V3.1dapsyntaxes 

• V3.matchingrules 

• V3.modifiedschema 

2. If you have any existing IBM JNDI applications, IBMJNDI.JAR or any 
associated JNDI files, you can save them if you like, although IBM JNDI is no 
longer supported. To save the files: 

• Save files, including any subdirectories, in installpath\ javaXbin to 
ins tal Ipath \ etc \ userV52 \ java \bin 

• Save files, including any subdirectories, in installpath\ javaXlib to 
ins tal Ipath \ etc \ userV52 \ java \ lib 

JNDI-related files are: 

• Ibmjcefw.jar 

• Ibmjceprovider.jar 

• IBMjgssprovider.jar 

• Local_policy.jar 

• US_export_policy.jar 

• Krb5.ini 

• Ibmjndi.jar 

• Ibmjndi.zip 

3. Export the database using db2ldif, as follows: 

Note: Read the db2ldif documentation in the SecureWay Administration Guide 
for your release betöre exporting the database. 
db21 dif -o outputfile 

where outputfile specifies the LDIF output file to contain the directory entries 
in LDIF format. 
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Attention: Do not use the DB2BACKUP command to export your data. If you 

do not export using db2ldif betöre unconfiguring and removing the database, you 
will lose your data. 

4. Unconfigure and remove the database by typing the following at a command 
prompt: 

ldapucfg -d 

5. Type y to confirm the removal. Default LDAP databases are automatically 
removed from the System when the command successfully completes. (If your 
database instance name and your database name are both ldapdb2, you have 
a default database configured.) 


Notes: 


a. If you use a custom database, you must manually remove the DB2 
database from the System. 

b. Data contained in the SecureWay Directory 3.2.2 database is not 
compatible with IBM Tivoli Directory Server 5.2 unless it is exported using 
db2ldif and imported through the bulkload utility provided with IBM 
Tivoli Directory Server 5.2. 

C. The Server will not start if you do not migrate the database. 

d. If you have a version of DB2 earlier than version 7.2 with FixPak 5, you 
must Upgrade to DB2 7.2 FixPak 5 or later after you have exported the 
database. Alternatively, you can remove DB2 after you have exported the 
database and install the version of DB2 provided with IBM Tivoli 
Directory Server. 

e. The changes in the changelog database are not compatible with the new 
data format and cannot be used. The existing changelog settings contained 
in the slapd32.conf file will be migrated to the new configuration. 

f. The audit log will not be migrated and must be reconfigured. 

6. Uninstall SecureWay Directory 3.2.2. 

Installation steps: 


7. Install IBM Tivoli Directory Server 5.2. Use one of the following: 


pkgadd for Solaris. See pCommand line installation using pkgadd" on 


page 69|for information. 


RPM for Linux. See "Installing IBM Tivoli Directory Server" on page 63 for 
information. 


The InstallShield GUI. See "Installing on a UNIX-based platform" on 


page 53 for information. 


Post-installation steps: 

8. Migrate the configuration and Schema by executing the migrate52 script. Type 
the following commands at a command prompt: 

cd installpath/etc 
. ./sbin/migrate52 


Note: You must run the migrate52 script even if you did not modify the 
previous Schema. There are new Schema files and entries in the 
ibmslapd.conf file that are not compatible with previous versions. 


9. Set the Administrator DN and password and configure a new LDAP database 


using th e ldapcfg or ldapxcfg commands. See Chapter 12, "Configuration", on 


page 83 for instructions on how to configure the LDAP database. 
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Note: If you want a change log database, make sure the change log is enabled 
through the Configuration Tool or the ldapcfg command with the -g 
Option. 

10. Use the bulkload utility to import the db2ldif exported data: 
bulkload -i Idiffile -c -d 

where Idiffile is the name of the input file containing the LDIF data to be 
loaded into the directory. 

Note: Read the bulkload documentation in the IBM Directory Server Version 
5.2 Administration Guide for command line settings that provide 
additional levels of function. 


Migration from IBM Directory Server Version 4.1 or 5.1 for Windows 
installations 


If you are upgrading from the 4.1 or 5.1 Version of IBM Directory Server on a 
Windows System using the InstallShield GUI, migration is automated. The 
InstallShield GUI backs up the Server configuration and Schema files betöre 
installing the 5.2 version, and it migrates these files to the 5.2 version for you 
automatically. 


Note: If you have th e Web Administration Tool installed from IBM Directory 
Server 5.1, see 'WtigratingJhe_Web_Adm^^ 


embedded version of WebSphere Application Server - Express" on page 43 
for information. 


Migration from IBM Directory Server version 4.1 or 5.1 for AIX 
installations 


The instructions in this section are for AIX installations. For Solaris, Linux, zSeries 
Linux, and F1P-UX, see "Migration from IBM Directory Server Version 4.1 or 5.1 for 


UNIX installations" on page 42 


Note: If you have th e Web Administration Tool installed from IBM Directory 
Server 5.1, see ^jjg£gbpg_thg_Web_^jnh£|^^ 


embedded version of WebSphere Application Server - Express" on page 43 
for information. 


This section is divided into three subsections for the following migration scenarios: 


"Migrating from IBM Directory Server 4.1" 


"Migrating from IBM Directory Server 5.1 with DB2 8.1, 32-bit" on page 38 

"Migrating from IBM Directory Server 5.1 with DB2 7.2" on page 39 



Migrating from IBM Directory Server 4.1 

To migrate an existing IBM Directory Server 4.1 on AIX, use the following 
procedure: 

Pre-installation steps: 

1. Back up the previous versions of the slapd32.conf or ibmslapd.conf and any 
Schema files from the /usr/ldap/etc directory to a directory that is not a 
subdirectory of /usr/ldap. 

These include files with the following file extensions: 

• .oc 
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• .at 

• .conf 


and the following files: 

• V3.1dapsyntaxes 

• V3.matchingrules 

• V3.modifiedschema 


2. If you installed with the InstallShield GUI, uninstall using the InstallShield 
GUI. 

Installation steps: 


3. Install IBM Tivoli Directory Server 5.2 using the In st allShield GUI or SMIT. S ee 


'Installing on a UNIX-based platform" on page 53 


page 58| for information. 


or 


'SMIT installation" on 


Post-installation steps: 


4. Migrate the configuration and Schema by executing the migrate52 script. Type 
the following commands at a command prompt: 

cd installpath/etc 
../sbin/migrate52 -s backuppath 


where b ackuppath is the path where you backed up the files in step 1 on 


page 37 


Note: You must run the migrate52 script even if you did not modify the 
previous Schema. There are new Schema files and entries in the 
ibmslapd.conf file that are not compatible with previous versions. 

Migrating from IBM Directory Server 5.1 with DB2 8.1, 32-bit 

To migrate an existing IBM Directory Server 5.1 on AIX, migrating DB2 Workgroup 
Server Edition 8.1, 32-bit, to DB2 Enterprise Server Edition 8.1, 64-bit, use the 
following procedure: 

Pre-installation steps: 

1. Stop the database instance, as follows: 

a. Log in as the DB2 instance owner. 

b. Ensure that there are no applications using any databases owned by this 
DB2 instance. To get a list of all applications owned by the instance, enter 
the db2 list applications command. You can end a Session by entering the 
db2 terminate command. Do not force termination of applications using 
the db2 force applications all command, because some applications might 
have unexpected behavior when they are terminated using this command. 
See the DB2 Command Reference for detailed information about these 
commands. 

c. When all applications are terminated, stop all database Server processes 
owned by the DB2 instance by entering the db2stop command. 

d. Stop the DB2 license daemon by entering the db2licm end command. 

e. Stop all command line processor sessions by entering the db2 terminate 
command in each session that was running the command line processor. 

f. Enter the db2_kill command to clean up any remaining DB2 resources. 

g. Log off. 

2. Back up the previous versions of the slapd32.conf or ibmslapd.conf and any 

Schema files from the /usr/ldap/etc directory to a directory that is not a 

subdirectory of /usr/ldap. 

These include files with the following file extensions: 
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• .oc 


• .at 

• .conf 


and the following files: 

• V3.1dapsyntaxes 

• V3.matchingrules 

• V3.modifiedschema 


3. Unconfigure the currently configured IBM Directory Server database (for 
example, ldapdb2) without deleting the instance and database. You can use 
the ldapucfg -d command or Configuration Tool. 

4. Stop the database instance, using the following procedure: 

a. Log in as the instance owner. 

b. Stop the instance using the db2istop command: 

/usr/opt/db2_08_01/instance/db2istop InstName 

5. If you installed with the InstallShield GUI, uninstall using the InstallShield 
GUI. 

Installation steps: 


6 . 

7. 

8 . 


Uninstall DB2 Workgroup Server Edition 8.1. 

Install DB2 Enterprise Server Edition 8.1. 

Inst all IBM Tivoli Directory Server 5.2 using the Install Sh ield GUI or SMIT. 


See l'Tnstalling on a UNIX-based platform" on page 53|or|"SMIT installation 


on page 58 for information. 


Post-installation steps: 

9. Update the IBM Tivoli Directory Server database instance to a 64-bit width, as 
follows: 


a. Log in as root. 

b. Run the db2iupdt command as follows: 

/usr/opt/db2_08_01/instance/db2iupdt -w 64 InstName 

10. Migrate the configuration and Schema by executing the migrate52 script. Type 
the following commands at a command prompt: 

cd installpath/etc 
. ./sbin/migrate52 -s backuppath 


wher ebackuppath is the path where you backed up the files in step 
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2 on 


Note: You must run the migrate52 script even if you did not modify the 
previous Schema. There are new Schema files and entries in the 
ibmslapd.conf file that are not compatible with previous versions. 


Migrating from IBM Directory Server 5.1 with DB2 7.2 

To migrate an existing IBM Directory Server 5.1 on AIX, migrating DB2 Enterprise 
Server Edition 7.2, 32-bit, to DB2 Enterprise Server Edition 8.1, 64-bit, use the 
following procedure: 

Pre-installation steps: 

1. Migrate the DB2 instance. Betöre you can migrate a DB2 instance, all 

applications using any databases owned by the instance must be terminated. 
To prepare a DB2 instance for migration, use the following procedure: 
a. Log in as the DB2 instance owner. 
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b. Be sure that there are no applications using any databases owned by this 
DB2 instance. To get a list of all applications owned by the instance, use 
the db2 list applications command. You can end a session by entering the 
db2 terminate command. Do not force termination of applications using 
the db2 force applications all command, because some applications might 
have unexpected behavior when they are terminated using this command. 
See the DB2 Command Reference for detailed Information about these 
commands. 

c. When all applications are complete, stop all database Server processes 
owned by the DB2 instance by entering the db2stop command. 

d. Stop the DB2 license daemon by entering the db2licm end command. 

e. Stop all command line processor sessions by entering the db2 terminate 
command in each session that was running the command line processor. 

f. Enter the db2_kill command to clean up any remaining DB2 resources. 

g. Log off. 

2. Verify that the database can be migrated. There are also migration 
considerations you should take into account if you are using the Version 2 
user exit program. 

DB2 provides the db2ckmig migration command, which is used to verify 
whether all cataloged databases can be migrated. The db2imigr command 
uses the db2ckmig command to verify whether the cataloged databases can be 
migrated. 

To ensure that you can migrate the instance, run the db2ckmig command. If 
instance migration failed, you must correct the errors reported by this 
command. You can run the db2ckmig command again to verify that the errors 
have been corrected, and then migrate the instance. 

For detailed Information about the db2ckmig command, refer to the DB2 
Command Reference. 

To verify that all cataloged databases can be migrated, perform the following 
steps: 

a. Log in as the instance owner. 

b. Enter the following command: 

DB2DIR/ bin/db2ckmig -h -a 0 -1 INSTHOME/mi gration.log 

where DB2DIR = /usr/lpp/db2_06_01 

c. Check the log file. The log file displays the errors that occur when you run 
the db2ckmig command. If it shows any errors, perform corrective actions. 

d. Check that the migration log file is empty betöre continuing with the 
instance migration. 

e. Back up the database after making corrections. 

3. Install DB2 Enterprise Server Edition 8.1, 64-bit. 

4. Back up the previous versions of the slapd32.conf or ibmslapd.conf and any 
Schema files from the /usr/ldap/etc directory to a directory that is not a 
subdirectory of /usr/ldap. 

These include files with the following file extensions: 

• .oc 

• .at 

• .conf 

and the following files: 

• V3.1dapsyntaxes 
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• V3.matchingrules 

• V3.modifiedschema 

5. If you installed with the InstallShield GUI, uninstall using the InstallShield 
GUI. 

6. Migrate the DB2 instance. Qnly local cataloged databases that reside in the 
DB2 instance are checked for migration. Uncataloged databases might be 
unusable after the instance has been migrated. 

After an instance is ready for migration, use the db2imigr command to 
migrate the instance as follows: 

a. Log in as a user with root authority. 

b. If the library_path environment variable is set to /usr/lib and there is a 
link in /usr/lib to the Version 7 libdb2 shared library, this can cause an 
error when using the db2imigr command. To fix the error, reset the 
library_path environment variable so that it does not reference the libraries 
in those paths by entering the following command: 

unset LIBPATH 

C. Run the db2imigr command as follows: 

/usr/opt/db2_Q8_01/instance/db2imigr [-d] [-a AuthType ] 

[-u fencedID] InstName 

where 

• -d sets the debug mode that you can use for problem determination. 

This parameter is optional. 

• -a AuthType specifies the authentication type for the instance. Valid 
authentication types are (SERVER), (CLIENT), and (DCS). If the -a 
parameter is not specified, the authentication type defaults to (SERVER), 
if a DB2 Server is installed. Otherwise, the AuthType is set to (CLIENT). 
This parameter is optional. 

Notes: 

1) The authentication type of the instance applies to all databases 
owned by the instance. 

2) While authentication type (DCE) is an optional parameter, it is not 
valid to choose (DCE) for this command 

• -u fencedID is the user under which the fenced user-defined functions 
(UDFs) and stored procedures will execute. This parameter is optional 
only when a DB2 Run-Time Client is installed. It is required for all other 
DB2 products. 

• InstName is the login name of the instance owner. 

7. Convert the DB2 instance to a 64-bit width, using the following procedure: 

a. Log in as a user with root authority. 

b. Run the db2iupdt command as follows: 

/usr/opt/db2_08_Ol/instance/db2iupdt -w 64 InstName 

c. After migrating the DB2 instance, reset LIBPATH to its original setting 

8. Migrate the database owned by the instance, using the following steps: 

a. Log on with a user ID that has SYSADM authority, such as the instance 
owner. 

b. Ensure that the database you want to migrate is cataloged. 

c. Run db2. 

d. At the DB2 command prompt, type the following: 
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migrate database DATABASE-NAME 

9. Initialize the database manager configuration parameter UTIL_IMPACT_LIM 
to its default value. The UTIL_IMPACT_LIM configuration parameter did not 
exist for UDB 7.1 and on migration to Enterprise Server Edition 8.1 it is 
assigned a value of 0. The valid ränge for this parameter is 1 to 100. Use the 
following procedure: 

a. Log on with a user ID that has SYSADM authority. 

b. Run db2. 

c. At the DB2 command prompt, type the following: 

update database manager configuration using UTIL_IMPACT_LIM value 


value should be kept low: between 1 and 10. 


Installation steps: 

10. Inst all IBM Tivoli Directory Server 5.2 using the Install Sh ield GUI or SMIT. 
See "Installing on a UNIX-based platform" on page 53 or "SMIT installation 


on page 58 for Information. 


Post-installation steps: 


11. Migrate the configuration and Schema by executing the migrate52 script. Type 
the following commands at a command prompt: 

cd installpath/etc 
. ./sbin/migrate52 -s backuppath 


wher ebackuppath is the path where you backed up the files in step 
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4 on 


Note: You must run the migrate52 script even if you did not modify the 
previous Schema. There are new Schema files and entries in the 
ibmslapd.conf file that are not compatible with previous versions. 


Migration from IBM Directory Server Version 4.1 or 5.1 for UNIX 
installations 


The instructions in this section are for Solaris, Linux, zSeries Linux, iSeries and 
pSeries Linux, and HP-UX. Do not use these instru ctions to migrate on an AIX 
System. If you are migrating on an AIX System, see "Migration from IBM Directory 


Server version 4.1 or 5.1 for AIX installations" on page 37 


Note: If you have th e Web Administration Tool installed from IBM Directory 

Server 5.1, see ^Migrating_Jhe_^eb^dministration_Tool_^nd^i£^radin^^e 


embedded version of WebSphere Application Server 
for information. 


Express" on page 43 


To migrate an existing directory Server, use the following procedure: 

Pre-installation steps: 

1. Back up the previous versions of the slapd32.conf or ibmslapd.conf and any 
Schema files from the installpath/etc directory to the installpath/etc/userV52 
directory. (You must create the installpath/e tc/userV52 directory.) installpath is 
the directory where IBM Directory Server 4.1 or 5.1 is installed. 

These include files with the following file extensions: 

• .oc 

• .at 

• .conf 
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and the following files: 

• V3.1dapsyntaxes 

• V3.matchingrules 

• V3.modifiedschema 


2. Uninstall IBM Directory Server 4.1 or 5.1, using the same utility you used to 
install. (Do not uninstall on HP-UX.) 

Installation steps: 


3. 


Install IBM Tivoli Directory Server 5.2 using one of the following: 


pkgadd for Solaris. See "Command line installation using pkgadd" on 


page 69 


for information. 


RPM for Linux. See "Installing IBM Tivoli Directory Server" on page 63 for 
information. 


swinstall for HP-UX. See 

Chapter 10, "Installing IBM Tivoli Directory Server 

using HP-UX Utilities' 

, on page 73 

for information. 


InstallShield GUI. See 

"Installing on a UNIX-based platform" on page 53 

for 


information. 


4. Migrate the configuration and Schema by executing the migrate52 script. Type 
the following commands at a command prompt: 

cd installpath/etc 
. ./sbin/migrate52 


Note: You must run the migrate52 script even if you did not modify the 
previous Schema. There are new Schema files and entries in the 
ibmslapd.conf file that are not compatible with previous versions. 


Migrating the Web Administration Tool and upgrading the embedded 
Version of WebSphere Application Server - Express 

If you currently have the Web Administration Tool from IBM Directory Server 5.1 
installed into the embedded version of WebSphere Application Server - Express 
V5.0, you can use one of the following sections to install the 5.0.2 fix pack for the 
embedded version of WebSphere Application Server - Express V5.0 and migrate to 
the 5.2 Web Administration Tool. 

For Windows installations 

On Windows installations, if you use the InstallShield GUI to install, the embedded 
version of WebSphere Application Server - Express V5.0 is upgraded to 5.0.2 
during installation, and the Web Administration Tool is installed into the 
embedded version of WebSphere Application Server - Express. This is the preferred 
method of installation for Windows. The following section is provided for 
reference. 

On Windows, it is possible to Upgrade the embedded version of WebSphere 
Application Server - Express V5.0 and migrate the Web Administration Tool as 
follows: 

1. Download fix pack 2 for the embedded version of WebSphere Application 
Server - Express V5.0 from the Web site where you downloaded IBM Tivoli 
Directory Server. 

2. Back up the following configuration files, which are in the 

MASPath\ instal1edApps\DefaultNode\IDSWebApp.war.ear\IDSWebApp.war\WEB- 
INF\classes\ directory: 

• security\console_passwd 
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• IDSConfig\IDSSessionConfig\IDSSessionMgmt.xml 

• IDSConf ig\ IDSServersConf ig \ IDSServersInfo. xml 

where WASPnth is the path where you installed the embedded version of 
WebSphere Application Server - Express V5.0 that was provided with IBM 
Directory Server V5.1. If you used the recommended path, WASPnth is 
ldnphome \appsrvY 

3. Run the following command to uninstall the Web Administration Tool: 
t//ISPa£/Abin\wsadmin.bat -conntype NONE -c "$AdminApp uninstall IDSWebApp.war" 

4. Install the 5.0.2 fix pack for the embedded version of WebSphere Application 
Server - Express as follows: 

a. Stop the application Server if it is running, using the command: 

WASPat/Abi n\stopServer.bat Server 1 

b. Install the fix pack by typing the following commands: 
set JAVA_H0ME=WA5Pat/?\java 

WAS_FP2_Path\ updateSilent.sh -installDir \k/ASPath -fixpack -install 
-fixpackDir \k/AS_FP2_Path \fixpacks -skipIHS -skipMQ 
-fixpackID was50_express_fp2_win -noBackup -noLog -noHistory 


where WAS_FP2_Pat h is the directory where you downloaded the fix pack 


in step |1 on page 43 


5. Install the Web Administration Tool provided with IBM Tivoli Directory Server 
5.2 if you have not done so already. 


6 . 


7. 

8 . 


Install the new Web Administration Tool into the embedded version of 
WebSphere Application Server - Express V5.0.2, using the instructions i n 

"Installing the Web Administration Tool into the embedded version of 


WebSphere Application Server - Express" on page 125 

Rest ore the Web A dministration Tool configuration files that you backed up in 


step |2 on page 43 


Start the embedded version of WebSphere Application Server - Express. See 


Starting the application Server to use the Web Administration Tool" on 


f 


P a S e 97| 


Note: If you plan to use the Web Administration Tool in a non-English language , 
see |"Corruption of data entered in Web Administration Tool" on page 111 

For UNIX installations 

On UNIX installations other than zSeries Linux, migrate the Web Administration 
Tool as follows: 

1. Download fix pack 2 for the embedded version of WebSphere Application 
Server - Express V5.0 from the Web site where you downloaded IBM Tivoli 
Directory Server. 

2. Back up the following configuration files, which are in the 

MASPath/i nstal1edApps/DefaultNode/IDSWebApp.war.ear/IDSWebApp.war/WEB- 
INF/classes/ directory: 

• security/console_passwd 

• IDSConf ig / IDSSessionConf ig / IDSSessionMgmt .xml 

• IDSConf ig / IDSServersConf ig / IDSServersInfo. xml 

where WASPnth is the path where you installed the embedded version of 
WebSphere Application Server - Express V5.0 that was provided with IBM 
Directory Server V5.1. If you used the recommended path, WASPnth is 
Idnphome / appsrv /. 
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3. Run the following command to uninstall the Web Administration Tool: 
WASPafA/bin/wsadmin.sh -conntype NONE -c "\$AdminApp uninstall IDSWebApp.war" 

4. Install the 5.0.2 fix pack for the embedded version of WebSphere Application 
Server - Express as follows: 

a. Stop the application Server if it is running, using the command: 
k/ASPath /bin/stopServer.sh Server 1 

b. Install the fix pack by typing the following commands: 
export JAVA_H0ME=WASP£7t/?/java 

W/15_FPP_Pot/;/updateSilent.sh -installDir /klASPath -fixpack -install 
-fixpackDir /klAS_FP2_Path/fixpacks -skipIHS -skipMQ 
-fixpackID fp_name -noBackup -noLog -noHistory 


where 

• WA S FP2 Pnth is the directory where you downloaded the fix pack in 


step 1 on page 44 


• fp_name is the name of the fix pack and depends on the operating System 
platform: 

AIX was50_express_fp2_aix 

xSeries Linux 

was50_express_fp2_linux 

Solaris 

was50_express_fp2_solaris 

HP-UX 

was50_express_fp2_hpux 

5. Install the Web Administration Tool provided with IBM Tivoli Directory Server 
5.2 if you have not done so already. 

6. Install the new Web Administration Tool into the embedded version of 
WebSphere Application Server - Express V5.0.2, using the instructions i n 


Tnstalling the Web Administration Tool into the embedded version of 


WebSphere Application Server - Express" on page 125 

7. Rest ore the Web A dministration Tool configuration files that you backed up in 


step |2 on page 44 


8. Start the embedded version of WebSphere Application Server - Express. See 


Starting the application Server to use the Web Administration Tool" on 


page 97 


Note: If you plan to use the Web Administration Tool in a non-English language , 
see |"Corruption of data entered in Web Administration Tool" on page 111 

For zSeries Linux installations 

To Upgrade the embedded version of WebSphere Application Server - Express on 
zSeries Linux: 

1. In the WAS_home/bin directory, run the following command to create a 
backup of your existing configuration: 

backupConfig.sh 

This creates a zip file called WebSphereConfig_i/i/i/i/-nnn-tki.zip. 

2. Move this zip file to a directory outside your WASJwme directory. 
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WASJiome is the directory where the embedded version of WebSphere 
Application Server - Express is installed. This is Idaphome/ appsrv if you used 
the recommended directory for installation. 

3. Back up the following configuration files, which are in the 

UASPath/ instal1edApps/DefaultNode/IDSWebApp.war.ear/IDSWebApp.war/WEB- 
INF/classes/ directory: 

• security/console_passwd 

• IDSConfig/IDSSessionConfig/IDSSessionMgmt.xml 

• IDSConf ig / IDSServersConfig / IDSServersInf o. xml 

where WASPath is the path where you installed the embedded version of 
WebSphere Application Server - Express V5.0 that was provided with IBM 
Directory Server V5.1. If you used the recommended path, WASPath is 
Idaphome/ appsrv/. 

4. Uninstall the embedded version of WebSphere Application Server - Express 
version 5.0 by removing the WASJwme directory. 

5. Install the embedded version of WebSphere Application Server - Express 
version 5.0.2 

6. In the WASJiome /bin directory, run the following command: 
restoreConfig.sh backup jafA/WebSphereConfig^yyyy-mm-dtf.zip 

where backupjpath is the path where you moved the 

WASJiome /bin/restoreConfig.sh WebSphereConfig_i/t/t/i/-mm-dd.zip file. 

This command does the following: 

• Creates a backup of the 5.0.2 configuration. (This will be a directory named 
WASJiome / config.old) 

• Copies the 5.0 configuration into the new 5.0.2 installation (in the config 
directory). 

7. Modify the W4S_/?owze/config/cells/DefaultNode/security.xml file to include 
the following <entry> stanzas: 

<entries xmi:id="JAASConfigurationEntry_6" alias="wssecurity.IDAssertion"> 

<1oginModules xmi:id="JAASLoginModule_6" 

modu1eClassName="com.ibm.ws.security.common.auth.module.proxy.WS LoginModuleProxy 
authenticationStrategy="REQUIRED"> 

<options xmi:id="Property_8" name="delegate" 

value="com.ibm.wsspi.wssecurity.auth.module.IDAssertionLoginModule"/> 

</loginModules> 

</entries> 

<entries xmi:id="JAASConfigurationEntry_7" alias="wssecurity.Signature"> 

<1oginModules xmi:id="JAASLoginModule_7" 

modu1eClassName="com.ibm.ws.security.common.auth.module.proxy.WS LoginModuleProxy 
authenticationStrategy="REQUIRED"> 

<options xmi:id="Property_9" name="delegate" 

value="com.ibm.wsspi.wssecurity.auth.module.SignatureLoginModule"/> 

</loginModules> 

</entries> 

Note: Some lines have been broken in the example to fit on the page. Be sure 
to enter each of the 1 ogi nmodul es entries and each of the options 
entries on a single line. 

If you added entries in the 5.0 configuration before performing this manual 
migration, you might have to change the IDs for the entries. 

8. At the Server level, copy all occurrences of the ws-security.xml file from the 
WA SJiome/ con fig.old directory into the corresponding location in the 
W4S Jiome/ config directory. 
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9. At the Server level of the templates directory, copy the variables.xml and 
ws-security.xml files from the WASJiome /config.old directory into the 
corresponding location in the WASJwme /config directory. 

10. Copy the Server, xml file from the 

WÄS_/!owze/config.old/templates/system/nodes/Servers/jmsserver into the 
corresponding location in the WASJwme /config directory. 

11. Copy the WASJwme/ config.old/templates/System/jdbc-resource-provider- 
templates.xml file into the corresponding location in the WASJiome /config 
directory. 

12. Run the following command to uninstall the Web Administration Tool: 
t/ASPatA/bin/wsadmin.sh -conntype NONE -c "\$AdminApp uninstall IDSWebApp.war" 


13 . 

14 . 


15 . 

16 . 


Install the Web Administration Tool provided with IBM Tivoli Directory 


Server 5.2 if vou have not done so alreadv. See 

Chapter 8, "Installing IBM 

Tivoli Directory Server using Linux Utilities", on page 63 



Install the new Web Administration Tool into the embedded version of 
WebSphere Application Server - Express V5.0.2, using the instructions in 

"Installing the Web Administration Tool into the embedded version of 


WebSphere Application Server - Express" on page 125 

Rest ore the Web A dministration Tool configuration files that you backed up in 


step |3 on page 46 


Start the embedded version of WebSphere Application Server - Express. See 


Starting the application Server to use the Web Administration Tool" on 


page 97 


Note: 


If you plan to use the Web Administration Tool in a non-English language . 


see|"Corruption of data entered in Web Administration Tool" on page 111 
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Chapter 6. Installing using the InstallShield GUI 


You can use the InstallShield GUI to install IBM Tivoli Directory Server on 
Windows, AIX, and Solaris platforms. It is also available for xSeries Linux 
platforms. If you do not want to use the InstallShield GUI to install, this guide 
contains a manual i nstallation procedure for each platform in separate chapters. 
For an example, see Chapter 7, "Installing IBM Tivoli Directory Server using AIX 


Utilities", on page 57 


Be sure that the requirements for your operating System are m et betöre you begin 
installation. See Chapter 4, "System requirements", on page 13 for information. 


Attention 


See "Migration from SecureWay Directory Version 3.2.2 for AIX installations 


oryjage33 or "Migration from IBM Directory Server version 4.1 or 5.1 for 


AIX installations" on page 37 for instructions for migrating and restoring 
backed-up files after reinstallation on an AIX System. 


Read and understand the migration process in ["Migration from SecureWay 


Director^_^rsion_^ ; 2 ; 2^or_So]nris_^ndM ; inuxdnstallations^OTi_ga2e35 or 


Ajjgratio]MromJEM^_Krectory Server Version 4.1 or 5.1 for UNIX 


installations" on page 42 for instructions for migrating and restoring 
backed-up files after reinstallation on a Linux, Solaris, or HP-UX System. 

If you have SecureWay Directory version 3.1.1.5, 3.2, 3.2.1, or 3.2.2 or IBM 

Directory Server 4.1 or 5.1 installed on a Windows System, read and _ 

understand the migration process in "Migration from SecureWay Directory 


Version 3.2.2 for Windows InstallShield GUI installations" on page 30|or 


Mjgratiomfro^^ Server version 4.1 or 5.1 for Windows 


installations" on page 37 betöre installing IBM Tivoli Directory Server 5.2. 


It is very important that you back up and export previous versions of Schema 
files and the Server configuration file betöre installing IBM Tivoli Directory 
Server 5.2. 


If you install IBM Tivoli Directory Server using the InstallShield GUI, you must 
also uninstall using the InstallShield GUI. This is also true for installation of 
corequisite products such as DB 2, the embedded version of WebSphere Applica tion 


Server - E xpress, and GSKit. See|"Uninstalling IBM Tivoli Directory Server" on 


page 100 for instructions for removing IBM Tivoli Directory Server using the 
InstallShield GUI. 


Installing on a Windows platform 

Use the information in the following sections to install IBM Tivoli Directory Server 
5.2 on a Windows platform using the InstallShield GUI. 

Betöre you install 

Betöre installing, be sure that the following conditions are met. If these conditions 
are not met, the installation program will exit. 


© Copyright IBM Corp. 1998, 2003 
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If you have a Version of SecureWay Directory earlier than 3.2.2 installed on 
your System: 

Upgrade to 3.2.2 or la ter betöre installing IBM Tivoli Directory Server 5.2. Then 


use the instructions in Chapter 5, "Migration from previous releases", on page 29 


to migrate your data and install IBM Tivoli Directory Server 5.2. 

If you have SecureWay Directory Version 3.2.2 or IBM Directory Server 4.1 or 
5.1 installed on your Computer: 

Use the instructions in 


Chapter 5, "Migration from previous releases", on page 29 


to migrate your data and install IBM Tivoli Directory Server 5.2. 

If you have a Version of DB2 earlier than 7.2 with FixPak 5 installed on your 
Computer: 


Upgrade to DB2 7.2 FixPak 5 or later, or remove DB2. DB2 8.1 with FixPak 2 is 
included with IBM Tivoli Directory Server. If you do not have a Version of DB2 
on your System, the InstallShield GUI installs it if you choose to install the 
Server. 


Attention: Export your data using db2ldif before unconfiguring and removing 
your current database. Do not use the DB2BACKUP command. If you do not 
export before unconfiguring and removing the database, you will lose your data. 

• If you have the embedded Version of WebSphere Application Server - Express 
installed on your Computer: 

The embedded version of WebSphere Application Server - Express v5.0.2 is 
provided with IBM Tivoli Directory Server 5.2. If version 5.0 of the embedded 
version of WebSphere Application Server - Express is already installed, the 
InstallShield GUI installation program Upgrades it to version 5.0.2. 


Creating the DB2 database owner 

Before you install, create or be sure that you have created the user ID that will 
own the DB2 database used to störe the directory data. You will be asked to 
provide this user ID and its password during configuration, which runs 
automatically after installation and System restart. The user ID must be 8 
characters or less, and it must be a member of the Administrators group. If you are 
creating a new database, a DB2 instance with the same name as the user ID will be 
created to hold the database. 


Installing IBM Tivoli Directory Server on a Windows platform 

To install IBM Tivoli Directory Server 5.2: 

1. On the Computer where you are installing the IBM Tivoli Directory Server, 
stop any programs that are running and close all Windows. If you have open 
Windows, the initial IBM Tivoli Directory Server installation window might be 
hidden behind other Windows. 

2. If you are installing from a CD, insert the CD in your CD-ROM drive. 

3. If you are installing locally from a CD or remotely from the network, go to the 
drive for your CD-ROM or for the appropriate network path. If you 
downloaded a zipped file, go to the directory where you unzipped the file. 

4. In the \ismp folder, double-click the setup.exe icon. 

The language window is displayed. 

Note: When installing on Windows, if the installation program exits without 
displaying the language window, it might be caused by one of the 
following: 

• Backlevel video drivers. Update your video drivers to the most 
recent levels to correct this. 
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• Not enough space in the directory specified by the TEMP 

environment variable. Be sure that you have at least 100 MB of free 
space in this directory. 

5. Select the language you want to use during IBM Tivoli Directory Server 
Installation. Click OK. 


6 . 

7. 


Note: This is the language used in the Installation program, not in IBM Tivoli 
Directory Server. You choose the language used in IBM Tivoli Directory 


Server in step 


11 


On the Welcome window, click Next. 


If a previous or current Version of IBM Tivoli Directory Server is not installed 
on your System, go to step [8j If a previous version of IBM Tivoli Directory 
Server is installed on your System, do one of the following: 


If you have the Server installed on your System from a previous version 
of IBM Tivoli Directory Server: You are asked if you want to migrate your 
configuration. Click Yes to migrate or No to overwrite your previous 


installation. See |Chapter 5, "Migration from previous releases", on page 29 


for complete migration instructions. 


Attention: If you choose to click No and overwrite your previous 
installation, you will lose your data and any configuration or Schema 
changes you have made will be lost. 


• If you have the Client SDK installed on your System from a previous 
version of IBM Tivoli Directory Server: You are asked if you want to 
continue with the installation. Click Yes to install over the previous version 
of the Client SDK, or click No to exit the installation. 


• If you have the Web Administration Tool installed on your System from a 
previous version of IBM Tivoli Directory Server: You are asked if you 
want to continue with the installation. Click Yes to install over the previous 
version of the Web Administration Tool, or click No to exit the installation. 


• If you have the current version of the Server, the dient SDK, or the Web 
Administration Tool installed on your System: You are asked if you want 
to exit the installation. If you do not exit and back up your files, they will 
be overwritten during the installation. 

• If you have the 5.0 version of the embedded version of WebSphere 
Application Server - Express installed, you are told that it will be upgraded 
to the 5.0.2 version. 


8. After reading the Software license agreement, select I accept the terms in the 
license agreement. Click Next. 

9. Any preinstalled components and corresponding version levels are displayed. 
Click Next. 

10. To install to the default directory, click Next. You can specify a different 
directory by clicking Browse. 


Note: Do not use special characters, such as hyphen (-) and period (.) in the 

name of the installation directory. If you do not use the default location, 
use a name such as ldap or ldapdir. Do not use a name such as 

ldap-dir or ldap.dir. 

11. Select the language you want to use in IBM Tivoli Directory Server 5.2. Click 

Next. 

12. A window showing the following components for installation is displayed: 

• Client SDK 5.2 

• Web Administration Tool 5.2 
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• Server 5.2 

• IBM WebSphere Application Server - Express 5.0.2 

• DB2V8.1 

• GSKit 


The components that are not yet installed are preselected. You can choose to 
reinstall the Server, the dient, or the Web Administration Tool if they were 
previously installed. 


Notes: 


a. If you install the Web Administration Tool, Directory Services Markup 


Language (DSML) files are also copied to your Co mputer. See Appendix F, 


'Installing and configuring DSML", on page 131 


installing and configuring DSML. 


for information about 


b. If you install the Web Administration Tool, an application Server is 

required to run the tool. If you select IBM WebSphere Application Server 
- Express and you do not have the 5.0 version installed, the embedded 
version of WebSphere Application Server - Express, v5.0.2 is installed and 
configured for you. If version 5.0 of the embedded version of WebSphere 
Application Server - Express is already installed, the InstallShield GUI 
Installation program Upgrades it to version 5.0.2. Any configuration files 
from the previous Web Administration Tool are backed up and restored. If 
you use another application Server, such as WebSphere, you must install 
the Web Administration Tool file, IDSWebApp.war, into the application 
Server after you install. For information about installing the embedded 
version of WebSphere Application Server - Express into WebSphere, see 

Appendix E, "Installing the Web Administration Tool into WebSphere", on 

page129 


This window also indicates the amount of disk space required and available 
on the selected drive. 


Be sure the components you want to install are selected, and click Next. 

13. If you selected DB2 V8.1 in step 12 on page 51 a window is displayed 

prompting you to enter a Windows user ID and password for the DB2 System 
ID. The default user ID is db2admin. On the window: 


a. Type the user ID or accept the default. 

b. Type the password, and then type the password again for verification. 

c. Click Next. 


14. 


Notes: 


a. 

b. 


This user ID must not be the one you created in "Creating the DB2 


database owner" on page 50 


If you are using an existing Windows user ID, be sure that your password 
is correct. Otherwise, DB2 does not install correctly. 


c. If you are using an existing Windows user ID, it must be a member of the 
Administrators group. 

d. If you are not using an existing user ID, DB2 creates the user ID you 
specify with the password you type. 


The installation program now has enough information to begin installing. A 
summary window displays the components you selected and the locations 
where the selected components will be installed. Click Back to change any of 
your selections. Click Next to begin installation. 
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Note: After installation has begun, do not try to cancel the installation. If you 


inadvertently cancel the i nstallation, see "Recovering from a failed 


installation" on page 106 betöre you attempt to reinstall. 


15. After the files are installed: 


• If you installed the client, the Client Readme file is displayed. Read the file 
and click Next. 

• If you installed the Server, the Server Readme file is also displayed. Read 
the file and click Next. 

• If you installed the Web Administration Tool, the Web Administration Tool 
Readme file is also displayed. Read the file and click Next. 

16. Select to restart your Computer now or later. Click Finish. 


Note: If you installed the Server, you must restart your System to complete 
IBM Tivoli Directory Server configuration. You are unable to use IBM 
Tivoli Directory Server until this is completed. 


After your Computer is restarted, if you installed the Server, log in using the same 
user ID that you used to install IBM Tivoli Directory Server. The Configuration 
Tool automatically runs so that you can complete the Server configuration. Betöre 
you can use the Server, you must set the administrator DN and password and 
configure the database that will störe the directory data. To complete configuration, 
use the following instructions: 


1 . 

2 . 


To set the administrator DN and password, us e the instructions in "Setting the 


Administrator DN and password" on page 84. 


To configure the database, use the instructions in "Configuring the database' 


on page 86 


You have completed installation and configuration. 


To make changes to your con figuration at a later time, see Chapter 12, 


'Configuration", on page 83 for more information about using the Configuration 


Tool. 


If any errors occurred during in stallation or configuration, see Chapter 15, 


'Troubleshooting", on page 105 for information. 


Installing on a UNIX-based platform 

Use the information in the following sections to install IBM Tivoli Directory Server 
5.2 on a UNIX-based platform using the InstallShield GUI. 

Betöre you install 

Betöre you install, be sure that the following conditions are met: 


If vou have a Version of SecureWav Directory installed on vour svstem, see 

"Migration from SecureWav Directory Version 3.2.2 for AIX installations" on 

page 33 

or 

"Migration from SecureWay Directory Version 3.2.2 for Solaris and 

Linux installations" on page 35 



• If you have a Version of IBM Directory Server installed on your System, see 


"Migration from IBM Directory Server version 4.1 or 5.1 for AIX installations' 

on 

page 37 

or 

"Migration from IBM Directory Server Version 4.1 or 5.1 for UNIX 


installations" on page 42 




• If you have the embedded Version of WebSphere Application Server - Express 
installed on your Computer: 
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The embedded version of WebSphere Application Server - Express v5.0.2 is 
provided with IBM Tivoli Directory Server 5.2. If version 5.0 of the embedded 
version of We bSphere Application Server - Express is already installed, use the 
instructions in |"Mi^ratin^he > ^eb^dministration_Ibol_^ndm£^radin^Jhe 


embedded version of WebSphere Application Server - Express" on page 43| to 
install fix pack 2 for the embedded version of WebSphere Application Server 
Express and to Upgrade the Web Administration Tool. 


Note: Upgrading to version 5.0.2 is not done through the InstallShield GUI on 
UNIX platforms. You must either uninstall the 5.0 version and install 5.0.2 
through the InstallShield GUI or follow the manual instructions in 

"Migrating the Web Administration Tool and upgrading the embedded 
version of WebSphere Application Server - Express" on page 43 


Installing IBM Tivoli Directory Server on a UNIX-based 
platform 

To install IBM Tivoli Directory Server 5.2: 

1. If you are installing from a CD, insert the CD in the CD-ROM drive and 
mount the CD. If you downloaded a tar file, go to the directory where you 
untarred the file. 

2. From the root directory on the CD or the directory where you untarred the 
file, type ./setup. A language window is displayed. 

3. Select the language you want to use during IBM Tivoli Directory Server 
installation. Click OK. 

Note: This is the language used in the installation program, not in the IBM 

Tivoli Directory Server. You choose the language used in the IBM Tivoli 
Directory Server in step [ 7 ] 

4. On the Welcome window, dick Next. 


Attention: If you have a version of SecureWay Directory or IBM Directory Server 

already installed on your System, a message is displ ayed telling you that you mu st 


remove it betöre installing. Bet öre you uninstall, see Chapter 5, "Migration from 


previous releases", on page 29 for instructions for saving and backing up your 

data. If you do not save and back up your data, you will lose it during the 
uninstallation procedure. 


5. After reading the Software license, select I accept the terms in the license 
agreement. Click Next. 

6. Any preinstalled components and corresponding version levels are displayed. 
Click Next. 


7. Select the language you want to use in IBM Tivoli Directory Server 5.2. Click 
Next. 


8. A window is displayed with the following components: 

• Client SDK 5.2 

• Web Administration Tool 5.2 

• Server 5.2 

• IBM WebSphere Application Server - Express 5.0.2 

• DB2V8.1 

• GSKit 


The components that are not yet installed are preselected. 
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This window also indicates the amount of disk space required and available 
on the selected drive. 


Be sure the components you want to install are selected, and click Next. 
Notes: 

a. If you install the W eb Administration Tool, DSML files are also copied to 


your Com puter. See Appendix F, "Installing and configuring DSML", on 


page 131 for information about installing and configuring DSML. 


b. 


If you install the Web Administration Tool, an application Server is 
required to run the tool. If you select IBM WebSphere Application Server 
- Express and you do not have the 5.0 version installed, the embedded 
version of WebSphere Application Server - Express, v5.0.2 is installed and 
configured for you. If you use another application Server or if the 
embedded version of WebSphere Application Server - Express is already 
installed, you must, after Installation, install the IDS Web App .war file into 
the application directory for your application Server. For information about 
installing and configuring the embedded v ersion of WebSphere 
Application Server - Express manually, see AppendixF^WInstalling, 


configuring, and uninstalling the embedded version of WebSphere 


Application Server - Express", on page 125 
9. The installation program now has enough information to begin installing. A 
summary panel displays the components you selected and the locations where 
the selected components will be installed. Click Back to change any of your 
selections. Click Next to begin Installation. 


Note: Düring the Installation of the Server or dient on Solaris, if a non-IBM 
version of LDAP is found, the files are moved to the 
/usr/bin/ldapsparc directory. 

10. After the files are installed: 

• If you installed the dient, the Client Readme file is displayed. Read the file 
and click Next. 

• If you installed the Server, the Server Readme file is also displayed. Read 
the file and click Next. 

• If you installed the Web Administration Tool, the Web Administration Tool 
Readme file is also displayed. Read the file and click Next. 

11. Click Finish. Installation is complete. 


If you installed the Server, the Configuration Tool automatically runs so that you 
can complete Server configuration. Betöre you can use the Server, you must set the 
administrator DN and password and configure the database that will störe the 
directory data. To complete configuration, use the following instructions: 


1 . 

2 . 


To set the administrator DN and password, us e the instructions in "Setting the 


Administrator DN and password" on page 84. 


To configure the database, use the instructions in 

"Configuring the database" 

on page 86 




You have completed Server configuration. 


To make changes to your con figuration at a later time, see Chapter 12, 


'Configuration", on page 83 for more information about using the Configuration 


Tool. 
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If arty errors occurred during in stallation or configuration, see Chapter 15, 


'Troubleshooting", on page 105 or information. 
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Chapter 7. Installing IBM Tivoli Directory Server using AIX 
Utilities 


You can use either of the following Utilities to install IBM Tivoli Directory Server 
on AIX: 


SMIT (T his is the preferred Installation method.) See "SMIT installation" on 
for Information. 


page 58 


installp. See "Command line installation using installp" on page 60 
information. 


for 


Before you install IBM Tivoli Directory Server, be sure you have DB2 Version 8.1 
FixPak 2 installed. You can use the db2_install command to install the version of 
DB2 provided. 


If you are installing the Web Administration Tool, you must also install an 
application Se rver such as the embedded version of WebSphere Application Server 
- Express. See Appendix D f "Installing f configuring f and uninstalling the embedded 


version of WebSphere Application Server - Express", on page 125|for information. 


Attention: Use SMIT (see |"SMIT installation" on page 58) to install IBM Tivoli 
Directory Server if you want to migrate from a 3.2.2 version of SecureWay 
Di rectory or IBM Directory Server 4.1 or 5.1. Use the appropr iate migration process 
in Chapter 5, "Migration from previous releases", on page 29 before installing the 


IBM Tiy oli Directory Server. |Chapter 5, "Migration from previous releases", on 


page 29 contains instructions for migrating and restoring backed-up files after 
reinstallation on an AIX System. It is very important that you back up and export 
previous versions of Schema files and the Server configuration file before installing 
the IBM Tivoli Directory Server 5.2. 


Notes: 


1. Full dient and Server versions require an Xll environment. Versions of IBM 
Tivoli Directory Server dient and Server with no Xll requirements are available 
in this release. For a dient with no Xll requirements, install the minimal dient 
that provides IBM Tivoli Directory Server Client Runtime (ldap.client.rte) and 
IBM Tivoli Directory Server Client SDK (ldap.client.adt). 

For a Server with no Xll requirements, do not install the IBM Tivoli Directory 
Server Configuration Tool (ldapxcfg). ldapxcfg is located in the ldap.server.cfg 
fileset. 


2. You do not need to install security functions if you are not going to use them. 
You can provide SSL by installing a Global Security Kit (GSKit), which is 
included with IBM Tivoli Directory Server 5.2. 


3. If you are installing I BM Tivoli Directory Server on a node within an RS 7 6000 


SP environment, see 

"Before installing on a node within an RS/6000 SP 

environment" on page 58 

before beginning installation. 


For more detailed information about installation procedures and commands for the 
AIX operating System, see the AIX Installation Guide provided with the operating 
System. 
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Betöre installing on a node within an RS/6000 SP environment 


Note: Use this section only if you are installing on a node within an RS/6000 SP 
environment. 

If you are installing IBM Tivoli Directory Server on a node within an RS/6000 SP 
environment you must first add the necessary users and groups to the Control 
Workstation (CWS) and propagate them out to the nodes using the 
/var/sysamn/supper update command, as follows: 

1. Add the ldap user and group on the CWS. For example: 

mkgroup fd=300 ldap 
mkuser id=300 ldap 
chgrpmem -m + ldap ldap 

Note: The user IDs and group IDs used are for the purpose of this example. 
You can choose different user IDs and group IDs for your environment 
or use the System defaults. 

2. Remove the home directory of the ldap user. 
rrn -rf /home/1dap 

3. Update the RS/6000 SP nodes with the new users and groups. 
/var/sysamn/supper update 

You are now ready to install and configure IBM Tivoli Directory Server on the 
RS/6000 SP node. 


SMIT installation 

To install IBM Tivoli Directory Server using SMIT: 

1. Log in as root. 

2. Insert the CD containing IBM Tivoli Directory Server 5.2 into the CD-ROM 
drive and mount the CD, or go to the directory where you untarred the file. 

3. At the command prompt, type the following: 
smit install 

and press Enter. The Software Installation and Maintenance window is 
displayed. 

4. Click Install and Update Software. The Install and Update Software window 
is displayed. 

5. Click Install and Update from ALL Available Software. 

6. Click List next to the INPUT device/directory for Software field. 

7. Select the appropriate CD-ROM drive or the directory containing the IBM 
Tivoli Directory Server images. 

8. Move your Cursor to Software to install. Do one of the following: 

• Type 1 dap to install all the ldap filesets (or ldap.Server, or ldap.dient, if 
appropriate). 

• Click List to list all the filesets on the CD, and then select the filesets that 
you want to install, including different translations of IBM Tivoli Directory 
Server messages. 

Note: By default SMIT installs translated messages based on the language 
you configured into your AIX System. 


58 IBM Tivoli Directory Server: Installation and Configuration Guide 




ALL 


If you select the list Option, you see, for example: 

> ldap.dient 

5.2.0.0 Directory Client Runtime (No SSL) 
5.2.0.0 Directory Client SDK 


> ldap.html.en_US ALL 

5.2.0.0 Directory HTML Instal 1/Config Gd-U.S. English 
5.2.0.0 Directory HTML Man Pages - U.S. English 

> ldap.Server ALL 

5.2.0.0 Directory Server Config 

5.2.0.0 Directory Server Framework (No SSL) 

5.2.0.0 Directory Server Java 
5.2.0.0 Directory Server Runtime 

> 1dap.webadmin ALL 

5.2.0.0 Directory Administrative Interface 

Note: The ldap.html packages are language specific. The ldap.html.en_US 
package is used as an example. 

Select the filesets you want to install and click OK. 

9. Click OK. The message Are You Sure? is displayed. 

10. Click OK to Start the installation. 

11. Check the installation summary at the end of the output to verify successful 
installation of the filesets. 

12. Click Done. 

13. To exit SMIT, press F12, or click Cancel until you are back to a command 
prompt. To verify that the IBM Tivoli Directory Server was installed 
successfully, type the following at a command prompt: 

lslpp -L | grep ldap 


The output displayed lists all the filesets starting with ldap. This list includes 
the Server, dient, HTML, and message filesets. For example: 


14 . 


dap.client.adt 

5.2.0.0 

C 

Di rectory 

SDK 

dap.client.rte 

5.2.0.0 

C 

Directory 

CIient 

dap.html .en_US.config 

5.2.0.0 

C 

Directory 

HTML 

dap.html .en_US.man 

5.2.0.0 

C 

Directory 

HTML man 

dap.msg.enJJS 

5.2.0.0 

C 

Directory Messages 

dap.Server.cfg 

5.2.0.0 

C 

Directory 

Server 

dap.Server.java 

5.2.0.0 

C 

Directory 

Server 

dap.server.com 

5.2.0.0 

C 

Directory 

Server 

dap.Server.rte 

5.2.0.0 

C 

Directory 

Server 

dap.webadmin 

5.2.0.0 

C 

Directory Administrative 


If you want to incl ude security functions, install GSKit 7a. See "Installing 


GSKit" on page 61 


Notes: 


2 . 


If you install t he Web Administration Tool, DSML files are also copied to yo ur 
Computer. See Appendix F, "Installing and configuring DSML", on page 131 for 
Information about installing and configuring DSML. 

If you install the Web Administration Tool, an application Server such as the 
embedded versi on of WebSphere Application Server - Express is required to 
run the tool. See Appendix D, "Installing, configuring, and uninstalling the 


embedded version of WebSphere Application Server - Express", on page 125 for 
Information about installing and configuring an application Server. 
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Command line installation using installp 


Note: If you want to migrate from a 3.2.x version of SecureW ay Directory or a 


yersion of IB M Directory Server, use the instructions in "SMIT installation 


on page 58 to install IBM Tivoli Directory Server. 


To install the IBM Tivoli Directory Server from a command prompt: 

1. Log on as root. 

2. Insert the CD containing IBM Directory Version 5.2 into the CD-ROM drive and 
mount the CD, or go to the directory where you untarred the file. 

3. Determine which IBM Tivoli Directory Server packages you need. The packages 
are as follows: 

• For the Server and dient, the package name is ldap.Server. 

• For the dient only, the package name is ldap.dient. 

• For the Web Administration Tool, the package name is ldap.webadmin. 

• For all packages, including all language translations of the message files and 
documentation, the package name is ldap. 

4. Determine which language versions of the message files and documentation 
you need. To see the language versions that are available, type the following 
command: 

installp -ld /dev/cd0 | grep ldap 

A list of all the installable IBM Tivoli Directory Server packages is displayed. 

Some examples of United States English-specific packages are: 

ldap.html .en_US.man 
ldap.msg.enJJS 

5. At the command prompt, install the required packages by tvping the following 
command: 

installp -acgXd /dev/cd0 packages 
where : 

• -a Stands for apply. 

• -c Stands for commit. 

• -g installs prerequisites if necessary. 

• -X increases the file System space if needed. 

• -d Stands for device. 

• packages is the package name or list of package names you want to install. 
Examples: 

To install only the IBM Tivoli Directory Server Server and dient files, type: 
installp -acgXd /dev/cd0 ldap.Server 

To install all of the IBM Tivoli Directory Server filesets (including messages in 
every available language), type: 
installp -acgXd /dev/cd0 ldap 

6. Upon completion of installation, the System generates an installation summary. 
Verify that the Result column shows success for all loaded files. You can also 
verify that the IBM Tivoli Directory Server was installed successfully by typing 
the following at a command prompt: 
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lslpp -L | grep ldap 


The output displayed lists all the filesets starting with ldap. This list includes 
the Server, client. Web Administration Tool, HTML, and message filesets. For 
example: 


ldap.client.adt 

5.2.0.0 

C 

F 

Di rectory 

SDK 


ldap.client.rte 

5.2.0.0 

C 

F 

Directory 

CIient 

Runtime 

ldap.Server.cfg 

5.2.0.0 

C 

F 

Directory 

Server 

Config GUI 

ldap.server.com 

5.2.0.0 

C 

F 

Di rectory 

Server 

Framework 

ldap.Server.java 

5.2.0.0 

C 

F 

Directory 

Server 

Java 

ldap.Server.rte 

5.2.0.0 

C 

F 

Directory 

Server 

Runtime 

ldap.webadmin 

5.2.0.0 

C 

F 

Directory 

Administrative 


GSKit' 

Notes: 


7. If you w ant to include security functions, install GSKit 7a. See 'Tnstalling 


1 . 


2 . 


If you install t he Web Administration Tool, DSML files are also copied to yo ur 
Computer. See Appendix F, "Installing and configuring DSML", on page 131 for 
Information about installing and configuring DSML. 

If you install the Web Administration Tool, an application Server such as the 
embedded versi on of WebSphere Application Server - Express is required to 
run the tool. See AppendjxFLWlnsfc^ 


embedded version of WebSphere Application Server - Express", on page 125| for 
information about installing and configuring an application Server. 


Installing GSKit 

If you installed an SSL-enabled version of IBM Tivoli Directory Server, you must 
install GSKit to take advantage of the security features. You can use either SMIT or 

installp. 

To install using SMIT: 

1. Invoke SMIT by typing smi t at the command line. 

2. Select Software Installation & Maintenance. 

3. Select Install and Update Software. 

4. Select Install and Update from ALL Available Software. 

5. On the device/directory window specify the directory that contains the 
installable Software. 

6. Select Package gskta and Package gsksa from the multi-select list. 

7. Select the filesets of the Software packages to install 

8. Select the options appropriate to your Installation requirements from the 
Options window. 

Note: Set the Install all prereqs Option to yes. 

9. Confirm that you want to complete the Installation. 

The installp command installs available Software products in a compatible 
installation package. To install GSKit using installp, enter the following at a 
command prompt: 

installp -acgXd gskta.rte 
installp -acgXd gsksa.rte 


where 

• -a Stands for apply 
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• -c Stands for commit 

• -g automatically installs or commits any requisite Software product. 

• -X expands the filesystem if necessary. 

• -d Stands for device. This specifies where the installation media can be found. 


See Appendix I, "Setting up GSKit to support CMS key databases", on page 139 for 


more information about setting up GSKit after installation. 


Setting System variables for AIX operating Systems 

The ikeyman GUI sets up its own environment except for JAVA_HOME. To see 
how ikeyman sets its environment, edit the /usr/opt/ibm/gsksa/bin/gsk7ikm-64 
file. 


You must set the following AIX variable so that ikeyman can run: 

JAVA_HOME =location, where location is the location where JDK 1.3.1 or 1.4.1 is 
installed. 

Note: If you are prompted to set JAVA_HOME, you can set it to either the 

system-installed Java or the Java version included with the IBM Directory 
Server. If you use the IBM Directory Server version, you also need to set the 
LIBPATH environment variable as follows: 

export LIBPATH=/usr/ldap/java/bin:/usr/ldap/java/bin/classic:$LIBPATH 

Removing GSKit 

To remove GSKit using SMIT: 

1. Invoke SMIT by typing smi t at the command line. 

2. Select Software Installation and Maintenance on the menu. 

3. Select Software Maintenance and Utilities. 

4. On the Maintenance window, select Remove Installed Software to open the 
Remove Software Product window. 

5. Enter the name of the Software package 

6. Set the flag for REMOVE dependent Software? to YES to instruct the System to 
automatically remove Software products and Updates that are dependent upon 
the product you are removing. 

7. Confirm the procedure to complete the removal of the Software package. 

To remove GSKit using installp, type the following at a command prompt: 

installp -u -g -V2 gskta.rte 
installp -u -g -V2 gsksa.rte 

where 

• -u removes the specified Software and any of its installed Updates from the 
System. 

• -g removes or rejects dependents of the specified Software. 

• -V2 prints an alphabetically ordered list of FAILURES and WARNINGS. 
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Chapter 8. Installing IBM Tivoli Directory Server using Linux 
Utilities 


The instructions in this chapter assume that you are logged in as root and have the 
IBM Tivoli Directory Server Version 5.2 CD mounted at /SD_CDROM. 


Attention: If you have SecureWay Directory version 3.1.1.5, 3.2,. 3.2.1, or 3.2.2, or 
a version of IBM Direc tory Server installed, and you want to migrate your data. 


use the instructions in Chapter 5, "Migration from previous releases", on page 29 


to 


install IBM Tivoli Directory Server 5.2. It is very important that you back up and 
export previous versions of Schema files and the slapd32.conf file before installing 
IBM Tivoli Directory Server 5.2. 


Installing IBM Tivoli Directory Server 

Note: Before installing IBM Tivoli Directory Server, you must remove any existing 
versions of LDAP that might have been installed previously. If you try to 
install IBM Tivoli Directory Server over an existing version of LDAP, IBM 
Tivoli Directory Server does not install correctly. If this occurs you must 
remove the IBM Tivoli Directory Server and then reinsta ll it. See 
"Uninstalling IBM Tivoli Directory Server" on page 100 


A version of LDAP is installed by default with some operafing Systems. One 
method to determine if you have a previously installed version of LDAP is 
to issue the following command to query the installed packages: 
rpm -qa | grep -i ldap 

This command finds any installed applications containing the name ldap. 
This method works only if you have a version of LDAP that contains the 
string "ldap" in its application names. 

Before you install IBM Tivoli Directory Server, be sure you have DB2 Version 7.2 
FixPak 5 or later installed. You can use the db2_install command to install the 
version of DB2 (8.1 FixPak 2) provided. 


If you are installing the Web Administration Tool, you must install an application 
Ser ver such as the embedded version of WebSphere Application Server - Express. 


See 

Appendix D, "Installing, configuring, and uninstalling the embedded version of 

WebSphere Application Server - Express", on page 125 

for information. 


The IBM Tivoli Directory Server for the Linux operating System is provided in the 
following packages. 

xSeries Linux packages: 

• ldap-serverd-5.2-l.i386. rpm 

• ldap-clientd-5.2-l.i386.rpm 

• ldap-msg-xxx-5.2-l.i386.rpm (Where xxx is the language identifier.) 

• ldap-html-xxx-5.2-l.i386.rpm (Where xxx is the language identifier.) 

• ldap-webadmind-5.2-l.i386.rpm 

zSeries Linux packages: 
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• ldap-serverd-5.2-l.s390.rpm 

• ldap-clientd-5.2-l.s390.rpm 

• ldap-msg-xxx-5.2-l.s390.rpm (Where xxx is the language identifier.) 

• ldap-html-xxx-5.2-l.s390.rpm (where xxx is the language identifier.) 

• ldap-webadmind-5.2-l.s390.rpm 

iSeries and pSeries Linux packages: 

• ldap-server-5.2-l.ppc.rpm 

• ldap-client-5.2-l.ppc.rpm 

• ldap-msg-xxx-5.2-l.ppc.rpm (where xxx is the language identifier.) 

• ldap-html-xxx-5.2-l.ppc.rpm (where xxx is the language identifier.) 

• ldap-webadmind-5.2-l.ppc.rpm 

Note: The examples in this chapter use Linux Intel-based packages. 


To install IBM Tivoli Directory Server: 

1. Install the dient by typing the following at a command prompt: 
rpm -ihv ldap-clientd-5.2-l.i386.rpm 

2. Install the Server by typing the following at a command prompt: 
rpm -ihv ldap-serverd-5.2-l.i386.rpm 

3. Verify that the packages have been installed correctly by typing the following at 
a command prompt: 

rpm -qa | grep ldap 


If the product has been successfully installed, the following is displayed: 

ldap-clientd-5.2-1 
ldap-serverd-5.2-1 


4. Install the language-dependent messages or documents by typing the following 
at a command prompt: 


5 . 


rpm -ihv ldap-msg-xxx-5.2-l.i386.rpm 
rpm -ihv ldap-html-xxx-5.2-l.i386.rpm 


If you want to incl ude security functions, install GSKit 7a. See "Installing 


GSKit" on page 65 


To install the Web Administration Tool: 

1. Type the following at a command prompt: 
rpm -ihv ldap-webadmind-5.2-l.i386.rpm 


Notes: 

a. If you install the W eb Administration Tool, DSML files are also copied t o 


your Com puter. See Appendix F, "Installing and configuring DSML", on 


page 131 for Information about installing and configuring DSML. 


b. 


If you install the Web Administration Tool, an application Server such as the 
embedded versi on of WebSphere Application Server - Express is required to 
run the tool. See Appendix D, "Installing, configuring, and uninstalling the 


embedded version of WebSphere Application Server - Express", on page 125 
for Information about installing and configuring an application Server. 
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Installing GSKit 

The following information is provided as a guide if you want to install the 
Software package gsk7bas.tar on the Linux operating System. You can install the 
package through the command line. 

The package names for GSKit 7a on the Linux platforms are as follows: 

xSeries Linux: 

rpm -ihv gsk7bas-7.0-1.0.i386.rpm 

zSeries Linux: 

gsk7bas-7.0-l ,0.s390x.rpm 

iSeries and pSeries Linux: 

gsk7bas-7.0-l .O.ppc32.rpm 

To install GSKit using rpm, use one of the following commands: 

• To install in the default location, /usr/local, log in as root and type the 
following at a command prompt: (These examples use the xSeries Linux package 
name.) 

rpm -ihv gsk7bas-7.0-l.O.i386.rpm 

• To install in a specified location, be sure that you have write access to the 
directory and use the —noscripts flag, as follows: 

rpm -ihv --prefix new_location gsk7bas-7.0-1.0.i386.rpm --noscripts 


where newjocation is the path where you want to install. For example: 
rpm -ihv --prefix /tmp/usr gsk7bas-7.0-1.0.i386.rpm --noscripts 


See Appendix I, "Setting up GSKit to support CMS key databases", on page 139 for 


more information about setting up GSKit after installation. 


Removing GSKit 

To remove GSKit, type the following at a command prompt: 
rpm -evv gsk7bas-7.0.1 


where 

• -evv specifies to erase the package and display debugging information. If no 
trace or debug information is desired, use only -e. 
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Chapter 9. Installing IBM Tivoli Directory Server using Solaris 
Utilities 


The instructions in this chapter assume that you are logged in as root and have the 
IBM Tivoli Directory Server Version 5.2 CD in the CD-ROM drive. 


Attention: If you have a 3.2.x version of SecureWay Directory or a version of IBM 
Di rectory Server installed, and you want to migrate your dat a, use the instructions 


in 


Chapter 5, "Migration from previous releases", on page 29 to install IBM Tivoli 


Directory Server 5.2. It is very important that you back up and export previous 
versions of Schema files and ibmslapd.conf before installing IBM Tivoli Directory 
Server 5.2. 


Installing IBM Tivoli Directory Server 

Before you install IBM Tivoli Directory Server, be sure you have DB2 Version 7.2 
FixPak 5 or later installed. You can use the db2_install command to install the 
version of DB2 (8.1 FixPak 2) provided. 


If you are installing the Web Administration Tool, you must install an application 
Ser ver such as the embedded version of WebSphere Application Server - Express. 


See Appendix D, "Installing, configuring, and uni nstalling the embedded version of 

WebSphere Application Server - Express", on page 125 for information. 


You can use either the admintool utility or pkgadd from a command prompt to 
install IBM Tivoli Directory Server. 


Note: You do not need to install security functions if you are not going to use 
them. You can provide SSL by installing Global Security Kit (GSKit). 

The following instructions assume that you are installing from a CD-ROM drive. 


Package dependencies 

The following IBM Tivoli Directory Server packages are available for Installation: 

• IBMldapc: IBM Tivoli Directory Server dient 

• IBMldaps: IBM Tivoli Directory Server Server 

• IBMldixxx: IBM Tivoli Directory Server documentation (where xxx is the 
language identifier) 

• IBMldmxxx: IBM Tivoli Directory Server messages (where xxx is the language 
identifier) 

• IBMldapw: IBM Tivoli Directory Server Web Administration Tool 

Note: The English messages are automatically installed with the IBMldaps (server) 
package. There is no separate messages package for English. 


Because of package dependencies, the order of installation is significant. Install the 
packages in the following order: 

1. Client 

2. Server 

3. Documentation and Messages 
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If you are installing only the dient Software, install in the following Order: 

1. Client 

2. Documentation and Messages 

If the dient package is not installed first, the Installation fails. 

Note: Because the Web Administration Tool package has no dependencies on any 
of the other packages, and none of the other packages are dependent on it, 
you can install it in any Order. 

“Non-IBM Version of LDAP” on your System 

Düring the installation of the Server or dient on Solaris Operating Environment 
Software Version 8 or 9, or the Server on Version 7, you might encounter the 
following message: 

A non-IBM version of LDAP has been located on your System. In Order 
to use the command line version of the IBM supplied files, the 
existing files (ldapadd, ldapdelete, ldaplist, ldapmodify, 

Idapmodrdn, ldapsearch) must be relocated. Specify the new 
directory in which to move the files (/usr/bin/ldapsparc) [?,q] 

Press Enter to accept the default directory (/usr/bin/ldapsparc), or type a new 
path name and press Enter, or type q and press Enter to quit. 

After relocating the files, you might see these additional messages: 

## Processing System information. 

WARNING: /usr/bin/1dapadd <no longer a linked file> 

WARNING: /usr/bin/1dapdelete <no longer a linked file> 

WARNING: /usr/bin/1dapmodify <no longer a linked fi1e> 

WARNING: /usr/bin/1dapmodrdn <no longer a linked file> 

WARNING: /usr/bin/1dapsearch <no longer a linked file> 

## Verifying package dependencies. 

## Verifying disk space requirements. 

## Checking for conflicts with packages already installed. 

The following files are already installed on the System and 
are being used by another package: 

/usr/bin/ldapadd 
/usr/bin/ldapdelete 
/usr/bin/ldapmodify 
/usr/bin/1dapmodrdn 
/usr/bin/1dapsearch 

Do you want to install these conflicting files [y,n,?,q] 

Type y and press Enter to continue the installation. The existing files are moved to 
the directory previously specified and the IBM Tivoli Directory Server files are 
installed in the /usr/bin directory. 

AdminTool installation 

To install IBM Tivoli Directory Server using the admintool utility: 

1. Type the following at a root command prompt: admi ntool & 

The Users window is displayed. 

2. Click Browse —> Software. The Software window is displayed. 

3. Click Edit —> Add. The Set Source Media window is displayed. 
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Attention: Do not click Customize in the lower left corner of the Set Source 
Media window. If you click Customize, the AdminTool installation stops. 
Because LDAP does not have any customizable options, there is no need for 
you to click Customize. 

4. Select CD with Volume Management. The CD-ROM path defaults to 
/cdrom/cdromO/ 

5. Change the path to /cdrom/cdrom0/ldap52_us and click OK. 

6. Click OK. 

7. Select a package from the following list of installable packages: 


IBM 

Ti 

vol i 

IBM 

Ti 

vol i 

IBM 

Ti 

vol i 

IBM 

Ti 

vol i 

IBM 

Ti 

vol i 


Directory 
Directory 
Directory 
Directory 
Directory 


CIient 
Server 

Documentati on (for all languages) 
Messages (for all languages) 
Webadmin 


8 . 

9. 


Remember that you must install the dient package first. See |"Package 


dependencies" on page 67| for the correct installation sequence. 


Click Add. 


You are asked if you want to use / opt as the base directory. If space permits, 
use / opt as the base installation directory. To accept / opt as the base directory, 
press Enter. 


Notes: 

a. With the installation of dient and Server packages, the System prompts 
you with the following notice: This package contains Scripts which will 
be executed with super-user permission during the process of 
installing the package. These scripts create the IBM Tivoli Directory 
Server user ID. Type y to continue. 

b. If you are installing the Server package, you will also see the prompt, Do 
you want to install these as setuid/setgid files? Type y to continue. 


10 . 

11 . 


After the package is installed, the Software window is displayed. 

Repeat steps |7]through|9] for each additional package you want to install. 
When you have finished installing the packages, select File —> Exit to exit the 

admintool utility. 


If you want to incl ude security functions, install GSKit 7a. See "Installing 


GSKit" on page 71 


Notes: 


2 . 


If you install t he Web Administration Tool, DSML files are also copied to yo ur 
Computer. See Appendix F, "Installing and configuring DSML", on page 131 for 
Information about installing and configuring DSML. 

If you install the Web Administration Tool, an application Server such as the 
embedded Versi on of WebSphere Application Server - Express is required to 
run the tool. See Appendix D, "Installing, configuring, and uninstalling the 


embedded version of WebSphere Application Server - Express", on page 125 for 


information about installing and configuring an application Server. 


Command line installation using pkgadd 

To install IBM Tivoli Directory Server from a command prompt: 

1. Go to the root directory of the directory where you mounted the CD-ROM or 
where you untarred the tar file. 
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2. At the command prompt, install the packages you want by typing the 
following command for each package: 
pkgadd -d pkgfilename 

where pkgfilename is the file name of the package you want to install. Do not 
use the System default of ALL. The System does not sequence the packages 
correctly and the installation fails. 

The packages shown in the following fable are available. If you are installing 
the Server, you must install the dient package first, and then the Server 
package. You can then install the documentation, the messages, and the Web 
Administration Tool in any Order. 


Table 1. IBM Directory Server packages for Solans 


Package 

Package name 

File name 

IBM Tivoli Directory Client 

IBMldapc 

ldap.client_rted.pkg 

IBM Tivoli Directory Server 

IBMldaps 

ldap.server_rted.pkg 

IBM Tivoli Directory 
documentation 

IBMldixxx 

ldap.man.xx_XX.pkg 

IBM Tivoli Directory messages 

IBMldmxxx 

ldap.msg.xx_XX.pkg 

IBM Tivoli Directory Webadmin 

IBMldapw 

ldap.webadmin_rted.pkg 


xxx and xx_XX are specific language identifiers. 

Note: The English messages are automatically installed with the IBMldaps 
(server) package. There is no separate package for English messages. 


Examples: 

• To install the dient package, type: 
pkgadd -d ldap.client_rted.pkg 

• To install the Server package, type: 
pkgadd -d ldap.server_rted.pkg 

• To install the documentation package, type: 
pkgadd -d ldap.man.xx_X>C.pkg 

• To install the message package, type: 
pkgadd -d ldap.msg.xx_X>C.pkg 

• To install the Web Administration Tool package, type: 
pkgadd -d ldap.webadmin_rted.pkg 


Notes: 

a. If you install the W eb Administration Tool, DSML files are also copied t o 


your Com puter. See |Appendix F, "Installing and configuring DSML", on 


page 131 for information about installing and configuring DSML. 


b. 


If you install the Web Administration Tool, an application Server such as 
the embedded version of W ebSphere Application Server - Express is 
required to run the tool. See AjjpendlxdlTYdnst^^ 


uninstalling the embedded version of WebSphere Application Server - 


Express", on page 125 for information about installing and configuring an 
application Server. 
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3. Düring installation, you are asked if you want to use / opt as the base directory. 
If space permits, use /opt as the base installation directory. To accept /opt as 
the base directory, press Enter. 


Notes: 


a. With the installation of dient and Server packages, the System prompts you 
with the query, This package contains Scripts which will be executed 
with super-user permission during the process of installing the 
package. Continue with installation? These Scripts create the IBM Tivoli 
Directory Server user ID. Type y to continue. 

b. If you are installing the Server package, you also see the prompt, Do you 
want to install these as setuid and/or setgid files? The programs 
need to be able to Start daemons, run DB2 commands, and create the IBM 
Tivoli Directory Server DB2 instance user ID and group, so they 
occasionally need to run as root. Type y to continue. 


4. 

5. 


When the installation is completed, type q to retum to the command prompt. 


If you w ant to include security functions, install GSKit 7a. See "Installing 


GSKit' 


Installing GSKit 

You can install GSKit 7a using either the AdminTool or the command line. 

To install GSKit using the admintool utility: 

1. Log in as root. 

2. Type the following at a root command prompt: admi ntool & 

The Users window is displayed. 

3. Click Browse —> Software. The Software window is displayed. 

4. Click Edit —> Add. The Set Source Media window is displayed. 

5. In the Path field, type the full path name to the directory that contains the 
GSKit installation code. For example, if you are installing from a CD-ROM: 

/cdrom/cdromO/gskit 

6. Click OK. 

7. Select Certificate and SSL Base Runtime (gsk7bas) 

8. Click Add. You are asked if you want to continue the installation. 

9. Type y and press Enter. After the package is installed, a message is displayed 
and you are instructed to press Return. 

10. Press Enter. 

11. When you are finished installing packages, click File —> Exit to exit the 
admintool utility. 


To install GSKit using the command line: 

1. Insert the CD. 

2. Log in as root. 

3. At the command prompt, install the required tar file sets with the following 
command: 

pkgadd -d /cdrom/cdrom0/gskit 


See Appendix I, "Setting up GSKit to support CMS key databases", on page 139 for 


more information about setting up GSKit after installation. 
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Removing GSKit 

To remove GSKit, type the following at a command prompt: 
pkgrm gsk7bas 
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Chapter 10. Installing IBM Tivoli Directory Server using HP-UX 
Utilities 


Attention: If you have a Version of IBM Directory Server installed and you wa nt 


to migrate vour data, read and understand the migration process in 

"Migration 

from IBM Directory Server Version 4.1 or 5.1 for UNIX installations' 

on page 42 


betöre installing IBM Tivoli Directory Server 5.2. It is very important that you back 
up and export previous versions of Schema files and the Server configuration file 
betöre mstalling IBM Tivoli Directory Server 5.2. 


Betöre installing IBM Tivoli Directory Server 

The following sections describe how to set the current configuration parameters 
and install IBM Tivoli Directory Server. You must have the current kernel 
configuration parameters set, and Java Runtime Environment 1.4.1 and DB2 
Version 7.2 FixPak 5 or later installed betöre installing IBM Tivoli Directory Server. 
You can use the db2_install command to install the version of DB2 (8.1 FixPak 2) 
provided. To install HP-UX Runtime Environment for the Java 2 Platform Version 
1.4.1, use the instructions provided with the Java package. 


If you are installing the Web Administration Tool, you must install an application 
Ser ver such as the embedded version of WebSphere Application Server - Express. 


See Appendix D, "Installing, configuring, and uni nstalling the embedded version of 

WebSphere Application Server - Express", on page 125 for information. 


Note: Betöre mstalling DB2, you must remove any existing versions of DB2 that 
might have been installed previously. If you try to install DB2 over an 
existing version of DB2, DB2 does not install correctly. If this occurs you 
must remove DB2 and then reinstall it. 


Setting the current kernel configuration parameters 

The following fable contains the parameters and values that must be set betöre 
installing IBM Tivoli Directory Server. 

Table 2. HP-UX operating System kernel configuration parameters 


Kernel parameter 

Value 256MB+ physical memory 

maxuprc 

512 

maxfiles 

256 



nproc 

1024 

nflocks 

8192 

ninode 

2048 

nfile 

(4 * ninode) 



msgseg 

32767 

msgmnb 

65535 (1) 

msgmax 

65535 (1) 

msgtql 

1024 
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Table 2. HP-UX operating System kerneI configuration parameters (continued) 


Kernel parameter 

Value 256MB+ physical memory 

msgmap 

258 

msgmni 

256 

msgssz 

16 



semmni 

512 

semmap 

514 

semmns 

1024 

semmnu 

1020 



shmmax 

268435456 (2) 

shmseg 

16 

shmmni 

300 



max_thread_proc (Only if using the Web 
Administration Tool) 

1024 

maxusers (Only if using the Web 
Administration Tool) 

256 


Note: After you update the max_thread_proc and maxusers parameters, be sure 

that the nproc parameter is set to 2068 or more, and the nkthread parameter 
to 3635 or more. 

To set a kernel configuration parameter: 

1. At a command prompt, type: sam 

The System Administration Manager opens. 

2. Double-click Kernel Configuration. 

3. Double-click Configurable Parameters. 

4. Double-click the parameter you want to edit and type the new value in the 

Enter New Formula/Value field. Click OK. 

5. Repeat step |4] for each parameter that needs to be set. 

6. Click Actions —> Process New Kernel. 

7. To process the modifications, click Yes. 

8. Select Move Kernel Into Place and Shutdown/Reboot Now and click OK. 


Installing IBM Tivoli Directory Server 


Before installing IBM Tivoli Directory Server, remove any non-IBM versions of 
LDAP that might have been installed previously. If you try to install IBM Tivoli 
Directory Server over an existing non-IBM version of LDAP, such as OpenLDAP, 
IBM Tivoli Directory Server might not install correctly. If this occurs you must 


remove IBM Tivoli Directory Server a nd then reinstall it. See "Uninstalling IBM 
Tivoli Directory Server" on page 100 
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Before installing IBM Tivoli Directory Server, be sure that you have the correct 
kemel configuration parameters set, and Java Runtime Environment 1.4.1 and DB2 
Version 7.2 FixPak 5 or later installed. 


The instructions in this section assume that you are logged in as root and have the 
IBM Tivoli Directory Server Version 5.2 CD mounted at /SD_CDROM. 


To install IBM Tivoli Directory Server: 

1. Type swi nstal 1 at a command prompt. 

Note: swinstall does not automatically read the CD. You need to supply the 
full path to the install image. The path to the client-server package is 
/ SD_CDROM / ldap52_us /hpuxl l_ibmldap52servers.depot. 


You can install the following packages: 

Server/client 

hpuxl l_ibmldap52servers. depot 

Client only 

hpuxl l_ibmldap52clients. depot 

2. Select the IBM Tivoli Directory Server 5.2 package you want to install. You can 
select from the following list: 

• LDAPServer to install both the Server and dient. 

• LDAPClient to install the dient only. 

• ids_tools to install the Web Administration Tool. 

3. Click Actions —> Mark For Install. 

4. Click Actions —> Install (analysis). Analysis is complete when the Status field 
reads Ready. 

5. Click OK. 

6. Click Yes to begin installation. Installation is complete when the Status field 
reads Done. 

7. Click File —> Exit. 


Notes: 

1. To enable SSL, you must also install GSKit. See 

2 . 


'Installing GSKit' 


3. 


If you install t he Web Administration Tool, DSML files are also copied to yo ur 
Computer. See Appendix F, "Installing and configuring DSML", on page 131 for 
Information about installing and configuring DSML. 

If you install the Web Administration Tool, an application Server such as the 
embedded versi on of WebSphere Application Server - Express is required to 
run the tool. See Appendix D, "Installing, configuring, and uninstalling the 


embedded version of WebSphere Application Server - Express", on page 125 for 
information about installing and configuring an application Server. 


Installing GSKit 

You can install the GSKit package (gsk7bas.tar.Z) through the command line or 
through sam, a GUI utility for System administration. 

To install GSKit: 

1. Download or copy the GSKit package to /tmp. 

2. Run the following command to change to the /tmp directory: 
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cd /tmp 

3. Uncompress and untar the package: 

zcat gsk7bas.tar.Z | tar -xvf - cd 

4. Run the following command to install: 
swinstall -s /var/spool/pkg/gsk7bas gsk7bas 


where 

• -s specifies the full_path of the Software source. 

• gsk7bas contains the Restricted GSKit Base Toolkit install image. 


See Appendix I, "Setting up GSKit to support CMS key databases", on page 139 for 


more information about setting up GSKit after installation. 


Setting System variables for HP-UX 

Set or verify that the following path has been set in your . profi 1 e. 
SHLIB PATH=/usr/lib 


For example: 

export SHLIB_PATH=/usr/lib;$SHLIB_PATH 

To set the language support environment variables, run the following command: 
echo 'export NLSPATH=/usr/1 ib/nl s/msg/%L/%N' »~/.profile 

Note: Be sure to include the tilde character betöre /. profi 1 e. 

Removing GSKit 

To remove GSKit, run the following command at a command prompt: 
swremove gsk7bas 
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Chapter 11. Installing on Windows platforms using silent 
installation 


This chapter provides instructions for installing IBM Tivoli Directory Server 5.2 on 
a Windows Computer using silent installation, and for installing and uninstalling 
GSKit from the command line on Windows. 


Silent installation 

Silent installation installs IBM Tivoli Directory Server with no user input required 

during installation. 

The following options and conditions apply to silent installation: 

• You must have at least 100 MB of memory free before invoking silent 
installation. 

• You do not need to install both the dient and the Server. You can choose to 
install the dient only. 

• Silent installation does not install DB2, GSKit, or the embedded version of 
WebSphere Application Server - Express. 

• Be sure that you have at least 100 MB of free space in the directory specified by 
the TEMP environment variable. 

• If you choose to install the Server, you must already have DB2 installed. 

• If the dient is already installed, you can add the Server in a later installation. 

• If the Server is selected for installation in the options file, the dient will 
automatically be installed if it is not there, regardless of whether it was selected 
for installation in the options file. 

• The Web Administration Tool can be installed whether or not the Server or dient 
is installed. 

• To edit installation path settings, copy the InstallServer.txt file from the 
optionsFile directory to a writable location. 

To begin installing the IBM Tivoli Directory Server 5.2 using silent installation: 

1. If you are installing from the CD, insert the CD in your CD-ROM drive and go 
to the CD-ROM drive. Otherwise, change to the directory where the 
downloaded IBM Tivoli Directory Server file was unzipped. 

2. Ata command prompt, type the following: 
cd \ismp 

consoleSetup -is:si1 ent -options d:\ismp\optionsFiles\InstallServer.txt 
where d: is the CD-ROM drive or the drive where you unzipped the file. 

Note: If you want to specify an additional log file, type the following: 

consoleSetup -is:si1 ent -options d:\ismp\optionsFiles\InstallServer.txt 
-log !c:\mydirectory\ldapinst.log @ALL 

c:\mydirectory\ldapinst.log can be changed to point to where you want to place 
the log file. The log file will still be created in the target installation directory. 
The default location is C:\Program Files\IBM\LDAP\ldapinst.log. 
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Note: You must use consoleSetup.exe rather than setup.exe because only 
consoleSetup.exe returns a return code. 

3. IBM Tivoli Directory Server is installed with no further input. If the Installation 
exits for any reason, you can find information about the exit by viewing the 
return code or checking the installpath\ ldapinst.log file. (installpath is the path 
where you installed IBM Tivoli Directory Server.) 

Check the return code by checking the value of %ERRORLEVEL% from a .bat 
file. A return code of 0 indicates that the installation 
return code indicates that the installation failed. See 
for a list of return codes. 


was successful. A non-zero 
"Checking the return code" 


4. 


Installation is complete when control returns to the command line or to the 
invoking program. 

If installation is unsuccessful, check to be sure that your options file settings 
and command-line parameters are valid. 


After installation, restart the System. If you are also installing other products, 
you can restart at an appropriate time. If the Server was installed, you must 
configure betöre the Server is u sable. You can use the ldapcfg comman d line 
utility to configure silently. See 
information. 


'Using the ldapcfg utility" on page 92| for 


Verifying the silent installation 

To verify that the silent installation was successful, you can check the return code 
and the log file. 

Common reasons for the silent installation failing are: 

• A previous or current version of IBM Tivoli Directory Server is already installed. 

• The prerequisites are not present. The Server requires a valid version of DB2. 

• There is not enough disk space to install. 

• The options file is incorrect. Be very careful when editing the options file. There 
cannot be blank lines or control characters in the file. If the installation exits 
with no log file, this is usually because the options file is invalid (with blank 
lines, for example), or because the path to the options file was specified 
incorrectly. 

Checking the return code 

The %ERRORLEVEL% variable contains the return code. The following return 
codes can be received: 

• 3001 Prerequisites missing 

• 3002 Java exception 

• 3003 No feature selected for silent install 

• 3004 Attemping to install wrong level or existing level. Only current 
over current allowed 

Other return codes might be returned from the InstallShield program. 

Checking the log file 

To verify that silent installation was successful using the log file: 

1. Check the log file to see if it exists in the target directory. If the log is not there, 
the installation failed, and you can refer to the log file that was specified on the 
silent installation command with the -log Option to see why the installation 
failed. 

2. Check the log file for the string Exiting LdapExit. 
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3. Verify that the installation was completed by checking the Windows registry. 
The following text should be in the registry, depending on which components 
were installed: 

In HKEY_LOCAL_MACHINE \ SOFTWARE \ IBM \ LDAP \ 

CIientMajorVersion 5.2 
ServerMajorVersion 5.2 
WebadminMajorVersion 5.2 

In HKEY_LOC AL_M ACHINE \ SOFTWARE \ IBM \ LD AP \ Client \ 

CIientMinorVersion 0.0 
LDAPHome install_location 

In HKEY_LOCAL_M ACHINE \ SOFTWARE \ IBM \ LD AP \ WebadminX 

WebadminMinorVersion 0.0 
LDAPHome install_location 

In HKEY_LOCAL_MACHINE \ SOFTWARE \ IBM \ LD AP \ Server \ 

ServerMinorVersion 0.0 
LDAPHome install_location 

Options file for silent installation 

The following text is in the options file provided with IBM Tivoli Directory Server: 

#Sample response file for the Server/Client package 
#(Lines beginning with # are comments) 

# Be sure there are no blank lines in this file! 

# 

# The following 3 lines MUST be present, and HOT modified 
-si1 ent 

-G createDirectoryResponse="yes" 

-G replaceExistingResponse="yesToAl1" 

# 

# install destination - this can be modified to install location 
-P product.instal1Location="C:\Program Fi 1es\IBM\1dap" 

# 

# Select the features to install. Note: if the Server is selected, the 

# dient will automatical ly be installed. To deselect a feature, set the 

# field to false. 

-P ServerFeature.active=true 
-P ClientFeature.active=true 
-P WebadminFeature.active=true 


# Selected Locales 

# 

# The list of selected locales. This list determines which 1ocale-specific 

# components are installed for the product. Legal values are: 

# 


# 

en 

- English 

# 

fr 

- French 

# 

de 

- German 

# 

i t 

- Italian 

# 

ja 

- Japanese 

# 

ko 

- Korean 

# 

pt_BR 

- Portuguese (Brazil) 

# 

zh 

- Simplified Chinese 

# 

es 

- Spanish 

# 

zh TW 

- Traditional Chinese 


# 

# For example, to select English, use 

# 

# -P selectedLocales=en 

# 
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-P seiectedLocales=en 

# Th is must be last line. Be sure no blank lines or carriage Controls follow! 

# Thi s must be last line. Be sure no blank lines or carriage Controls follow! 

You can edit the following line to point to the desired target installation directory: 
-P product.instal 1 Location="C:\Program Fi 1es\IBM\1dap" 

The features lines can be edited to disable a feature from being installed. For 
example, -P WebadminFeature.active=true can be changed to 
-P WebadminFeature.active=false to indicate that you do not want to install the 
IBM Tivoli Directory Server Web Administration Tool. 

You can specify the correct locale by editing the following line: 

-P seiectedLocales=en 

Change en to the language you want to install. 


Installing GSKit on Windows operating Systems 

If you install IBM Tivoli Directory Server using silent installation, GSKit is not 
installed. You can use the following procedure to install it. 

To install GSKit 7a: 

1. Extract the files from the self-extracting GSKit file by typing the following at a 
command prompt in the directory where the gsk7bas.exe file is located: 
gsk7bas.exe path /D 

where 

• path is the directory where you want to extract the files 

• /D specifies that you want to create directories 

2. In the directory where you extracted the files, run the following command: 
Setup LDAP path -s --fl"extracted file Zocatzo/Asetup.iss" 

where 

• LDAP is the name of your application and will be registered as a registered 
user of GSK in the Windows Registry (under the key 

SOFTWAREN \IBM\ \GSK\ \REGAPPS). 

• path is the path where you want to install GSKit. Note that the installation 
program appends \ibm\gsk7 to any path you enter. 

Note: Do not start setup.exe by clicking on the icon. 

The following options can be used: 

• -s to run the Setup in the silent mode. 

• -flextracted file location\ setup.iss specifies the response file needed to run the 
setup in the silent mode. Note that there is no space between -fl and the 
beginning of the extracted file location. 

For example: 

setup LDAP gskit -s -fl"d:\temp\setup.iss" 
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See Appendix I, "Setting up GSKit to support CMS key databases", on page 139 for 


more information about setting up GSKit after installation. 


Removing GSKit 

To remove GSKit, run the following command: 
gsk7BUI LDAP 
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Chapter 12. Configuration 


You can use either the Configuration Tool (ldapxcfg) or the ldapcfg command-line 
utility to configure the Server, ldapucfg is used to unconfigure the Server through 
the command line. 

You must have at least 80 MB of hard disk space available to configure the 
database. 


If you used the InstallShield GUI to install, the Configuration Tool is started after 
installation (and after System restart on a Windows System). 


After installation, if configuration does not start automatically, you must use the 
Configuration Tool or the command line configuration program to do the following 
tasks: 

• Define the IBM Tivoli Directory Server administrator distinguished name (DN) 
and password. This Operation can be compared to defining the root user ID and 
password on a UNIX System. 

• Configure the database. 


Note: After yo u configure, see Chapter 13, "After you install and configure", on 


page 97 for information about: 


Starting the Server 


- Starting the embedded version of WebSphere Application Server - 
Express service if you want to use the Web Administration Tool 


You can find more information in the IBM Tivoli Directory Server Version 
5.2 Administration Guide. 


In addition, you can use the Configuration Tool for the following tasks: 

• Configuring (or reconfiguring) and unconfiguring the database 

• Enabling and disabling the change log 

• Adding and removing Suffixes 

• Adding and removing Schema files 

• Importing and exporting LDIF data 

• Backing up, restoring, and optimizing the database 

Note: If you are configuring a UNIX-based System, you must run the configuration 
Utilities (ldapcfg and ldapxcfg) from a directory that has execute permission 

for other. That is, the directory must have at least the- x permission set. 

If this permission is not set, you might see an error message and experience 
a subsequent failure during the database creation step. To set this 
permission for your current directory, you can enter the command: 
chmod o+x . 

The period ( . ) in the command is required to indicate the current directory. 


Using the IBM Tivoli Directory Server Configuration Tool (ldapxcfg) 

To configure IBM Tivoli Directory Server using the Configuration Tool: 
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1 . On a UNIX System, log in as root. On a Windows System, log on as any user in 
the Administrators group. 

2. Type ldapxcfg at a command prompt. Alternatively, on a Windows System, you 
can click Start —> Programs —> IBM Tivoli Directory Server 5.2 —> 

Directory Configuration. 

3. The Configuration Tool window is displayed. 

Note: If you are using a Windows platform, do not minimize the Configuration 
Tool window or the command prompt window that is displayed during 
initial configuration, or unpredictable results might occur. 


In the task list on the left, click the task you want to perform. For Information 
about performing a task, see the section shown in the following list: 

Set or chan ge the Administrator DN and password 


See 


'Setting the Administrator DN and password' 


Configure the database 


SeepConfiguring the database" on page 86 


Unconfigu re the database 


See pUnconfigu ring the database" on page 87 


Configure or unconfigure the change log 


See "Enabling or disabling the change log" on page 87 


Manage su ffixes 


See 


'Managing suffixes" on page 88 


Manage Sc hema files 


See "Managing Schema files" on page 89 


Import LDIFdata 


See 


Tmporting LDIF data" on page 90 


Export LDI F data 


See "Exporting LDIF data" on page 91 


Back up da tabase 


SeepBacking up the database" on page 92 


Restore database 


SeepRestoring the database" on page 92 


Optimize database 


SeepOptimizing the database" on page 92 


4. Close the Configuration Tool when you have completed all configuration tasks. 


Setting the Administrator DN and password 

To set the administrator DN and password: 

1. In the IBM Tivoli Directory Server Configuration Tool window, click 
Administrator DN/password in the task list on the left. 

2. In the Administrator DN/password window on the right, type a valid DN (or 
accept the default DN, cn=root) in the Administrator DN field. 

The IBM Directory Server administrator DN is the DN used by the 
administrator of the directory. This administrator is the one user who has full 
access to all data in the directory. 
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The default DN is cn=root. DNs are not case sensitive. If you are unfamiliar 
with X.500 format, or if for any other reason you do not want to define a new 
DN, accept the default DN. 

3. Type the password for the Administrator DN in the Administrator Password 
field. You must define a password. Passwords are case-sensitive. 

Record the password for future reference. 

4. Retype the password in the Confirm password field. 

5. Click OK. 

Note: Double byte character set (DBCS) characters in the password are not 
supported. 

Configuring or unconfiguring the database 

When you configure the database, the Configuration Tool adds information about 
the database that will be used to störe directory data to the configuration file 
(ibmslapd.conf). In addition, if the database does not already exist, the 
Configuration Tool creates the database. 

Notes: 

1. Betöre configuring the database, be sure that the environment variable 
DB2COMM is not set. 

2. The Server must be stopped betöre you configure or unconfigure the database. 


When you unconfigure the database, the Configuration Tool removes the database 
information from the configuration file. Based on your selections, it might also 
delete the database (and all data in it) and remove the instance that contains the 
database. 

Before you configure: creating the DB2 database owner and 
database instance owner 

Betöre you configure the database, you must create a user ID for the user who will 
own the DB2 database. The user ID you specify will own the database instance 
where the DB2 database will exist, and the DB2 instance will be in the user's home 
directory. 


Note: If you want a different database instance name, you must use the ldapcfg 


command with the -t Option to configure the database. See "Configuring the 


database" on page 93 for information. 


The user ID can be no longer than 8 characters. In addition: 

• On Windows platforms, the user must be a member of the Administrators 
group. 

• On UNIX platforms: 

- The user must have a home directory and must be the owner of the home 
directory. 

- The group ownership of the user's home directory should be the DB2 group 
created when DB2 was installed. On AIX and Solaris, this group is usually 
named dbsysadm. On zSeries Linux, this group is usually named db2iadm. 
For example, in the case of a user named ldapdb2, the user ID home 
directory should be owned by ldapdb2:dbsysadm on AIX and Solaris or by 
Idapdb2:db2iadm on zSeries Linux. 

There might be some groups that do not work correctly as the user's primary 
group when configuring the database. For example, if the user's primary 
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group on Linux is users, problems might occur. Use other on Linux if you 
want to be sure that the primary group will work. 

The user root must be a member of the user's primary group. If root is not a 
member of this group, add root as a member of the group. 

- For best results, the user's login shell should be the Korn shell script 
(/usr/bin/ksh). 

- The user's password must be set correctly and ready to use. For example, the 
password cannot be expired or waiting for a first-time Validation of any kind. 
(The best way to verify that the password is correctly set is to telnet to the 
same Computer and successfully log in with that user ID and password.) 

- When configuring the database, it is not necessary, but customary, to specify 
the home directory of the user ID as the database location. Flowever, if you 
specify some other location, the user's home directory still must have 3 to 4 
MB of space available. This is because DB2 creates links and adds files into 
the home directory of the instance owner (that is, the User) even though the 
database itself is elsewhere. If you do not have enough space in the home 
directory, you can either create enough space or specify another directory as 
the home directory. 

Configuring the database 

To configure the directory database: 

1. In the Configuration Tool, dick Configure database in the task list on the left. 

2. The Configuration Tool attempts to determine whether you already have a 
database. If you have a database already configured (that is, the information for 
the database is in the configuration file), the Configuration Tool prompts you 
for information about what you want to do. For example, if the database is 
configured but cannot be found on the System, you might choose to create a 
database using the name specified in the configuration file. Use the information 
shown in the Windows that are displayed to configure the database. 


Depending on whether or not you already have a database, some or all of the 
following Windows are displayed. 


3. If a user ID and password are requested: 

a. Type a user ID in the User ID field. This user ID must already exi st betöre 
you can configure the database. This is the user ID you created in 


'Betöre 


you configure: creating the DB2 database owner and database instance 


owner" on page 85 (In previous releases, the user ID was created if it did 
not exist, but this is no longer true.) 

b. Type a password for the user in the Password field. Passwords are 
case-sensitive. 


c. Click Next. 

4. If the database name is requested: 

a. Type the name you want to give the DB2 database. The name can be from 1 
to 8 characters long. The database will be created in an instance with the 
same name as the user ID. 


5. 


Note: If you want a different database instance name, you must use the 
ldapcfg command with the -t Option to configure the database. See 


'Configuring the database" on page 93 for information. 


b. Click Next. 

If the database location is requested: 
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6. 


a. Type the location for the database in the Database location field. For 
Windows platforms, this must be a drive letter. For non-Windows platforms, 
the location must be a directory name, such as /home/ldapdb2. 

Be sure that you have at least 80 MB of free hard disk space in the location 
you specify and that additional disk space is available to accommodate 
growth as new entries are added to the directory. 

b. Click Next. 

If a character set selection is requested: 

a. Click the type of database you want to create. You can create a UCS 

Transformation Format (UTF-8) database, in which LDAP clients can störe 
UTF-8 character data, or a local code page database, which is a database in 
the local code page. 


If you want to use language tags, the d atabase must be a UTF-8 database. 


For more Information about UTF-8, see Appendix H, "UTF-8 support", on 


page 135 


b. Click Next. 


7. In the verification window, Information is displayed about the configuration 
options you specified. To return to an earlier window and change information, 
dick Back. To begin configuration, click Finish. 

8. The completion window is displayed. Click Close. 


Unconfiguring the database 

To unconfigure the database: 

1. In the Configuration Tool, click Unconfigure database in the task list on the 
left. 

2. In the Unconfigure database window, click one of the following: 

Unconfigure only 

Does not destroy any existing LDAP DB2 data. Flowever, the 
configuration information for the database will be removed from the 
configuration file (ibmslapd.conf), and the database will be inaccessible 
to the directory Server. 

Unconfigure and destroy database 

Removes the existing database and its contents, and removes the 
configuration information for the database from the configuration file. 

Unconfigure and destroy database and delete instance 

Removes the existing database and its contents, removes the 
configuration information for the database from the configuration file, 
and deletes the instance in which the database is located. 


Attention: Betöre destroying an instance, be sure that there are no 
databases in the instance that must be kept. 

3. Click Unconfigure. 

Enabling or disabling the change log 

The change log database is used to record changes to the Schema or directory 
entries in the typical LDAP entry structure that can be retrieved through the LDAP 
API. The change log records all update operations: add, delete, modify, and 
modrdn. The change log enables an IBM Tivoli Directory Server dient application 
to retrieve a set of changes that have been made to an IBM Tivoli Directory Server 
database. The dient might then update its own replicated or cached copy of the 
data. 
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You can use the Configuration Tool to enable or disable the change log. 

Note: The Server must be stopped before you enable or disable the change log. 

Enabling the change log 

To enable the change log: 

1. In the Configuration Tool, click Configure/unconfigure changelog in the task 
list on the left. 

2. In the Configure/unconfigure changelog window, select the Enable change log 
database check box. 

3. In the Maximum number of log entries box, click Unlimited if you want an 
unlimited number of entries in the change log. If you want to limit the number 
of entries, click Entries and type the maximum number of entries you want 
recorded. The default is 1,000,000 entries. 

4. In the Maximum age box, accept the default of Unlimited if you want entries 
to remain in the change log indefinitely, or click Age and type the number of 
days and hours for which you want each entry to be kept. 

5. Click Update. 

Disabling the change log 

To disable the change log: 

1. In the Configuration Tool, click Configure/unconfigure changelog in the task 
list on the left. 

2. In the Configure/unconfigure changelog window, clear the Enable change log 
database check box. 

3. Click Update. 

Managing Suffixes 

A suffix (also known as a naming context) is a distinguished name (DN) that 
identifies the top entry in a locally held directory hierarchy. Because of the relative 
naming scheme used in LDAP, this DN is also the suffix of every other entry 
within that directory hierarchy. A directory Server can have multiple Suffixes, each 
identifying a locally held directory hierarchy; for example, o=ibm,c=us. 

Note: The specific entry that matches the suffix must be added to the directory. 

Entries to be added to the directory must have a suffix that matches the DN value, 
such as ou=Marketing,o=ibm,c=us. If a query contains a suffix that does not match 
any suffix configured for the local database, the query is referred to the LDAP 
Server that is identified by the default referral. If no LDAP default referral is 
specified, an Object does not exist result is returned. 

Note: The Server must be stopped before you add or remove suffixes. 

Adding a suffix 

To add a suffix: 

1. In the Configuration Tool, click Manage suffixes in the task list on the left. 

2. In the Manage suffixes window, type the suffix you want to add in the 
SuffixDN field, and click Add. 

3. When you have added all the suffixes you want, click OK. 
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Note: When you click Add, the suffix is added to the list in the Current suffix 
DNs box; however, the suffix is not actually added to the directory until 
you click OK. 

Removing a suffix 

To remove a suffix: 

1. In the Configuration Tool, click Manage Suffixes in the task list on the left. 

2. In the Manage Suffixes window, click the suffix you want to remove in the 
Current suffix DNs box, and click Remove. 

3. When you have selected all the suffixes you want to remove, click OK. 

Note: When you click Remove, the suffix is removed from the list in the 

Current suffix DNs box; however, the suffix is not actually removed 
until you click OK. 

Managing Schema files 

You can use the Configuration Tool for the following Schema file tasks: 

• Adding a Schema file to the list of Schema files that will be loaded at startup 

• Removing a Schema file from the list of Schema files that will be loaded at 
startup 

• Changing the type of validation checking that is done for Schema files 
Note: The Server must be stopped betöre you add or remove Schema files. 

Adding a Schema file 

To add a Schema file to the list of Schema files that will be loaded at startup: 

1. In the Configuration Tool, click Manage Schema files in the task list on the left. 

2. In the Manage Schema files window, type the path and file name of the Schema 
file you want to load at startup. (Alternatively, click Browse to search for the 
file.) 

3. Click Add. 

Note: When you click Add, the Schema file is added to the list in the Current 
Schema files box; however, the Schema file is not actually added until 
you click OK. 

4. When you have added all the Schema files you want, click OK. 

Removing a Schema file 

To remove a Schema file from the list of Schema files that will be loaded at startup: 

1. In the Configuration Tool, click Manage Schema files in the task list on the left. 

2. In the Manage Schema files window, click the Schema file you want to remove 

in the Current Schema files box. 

3. Click Remove. 

Notes: 

a. A Schema file that contains the string System is a System file and cannot be 
deleted. 

b. When you click Remove, the Schema file is removed from the list in the 
Current Schema files box; however, the Schema file is not actually removed 
until you click OK. 

4. When you have selected all the Schema files you want to remove, click OK to 
process the files. 
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Changing the type of validation checking that is done 

To change the type of validation checking that is done on Schema files: 

1. In the Configuration Tool, click Manage Schema files in the task list on the left. 

2. In the Manage Schema files window, accept the default Schema validation rule 
in the Schema validation rules box, or click the rule you want. You can select 
one of the following rules: 

• Version 3 (Strict) 

LDAP version 3 strict validation checking is done. With this type of 
validation checking, all parent object classes must be present when adding 
entries. 

• Version 3 (Lenient) 

LDAP version 3 lenient validation checking is done. With this type of 
validation checking, all parent object classes do not need to be present when 
adding entries. 

This is the default. 

• Version 2 

LDAP version 2 checking is done. 

• None 

No validation checking is done. 

3. Click OK. 


Importing and exporting LDIF data 

You can use the Configuration Tool to import data from an LDAP Data Interchange 
Format (LDIF) file or to export data from the database to an LDIF file. LDIF is 
used to represent LDAP entries in text form. When importing, you can add entries 
to an empty directory database or to a database that already contains entries. You 
can also use the Configuration Tool to validate the data in the LDIF file without 
adding the data to the directory. 


Importing LDIF data 

Notes: 


1. Betöre you i mport the data from an LDIF f ile, be sure to add any necessary 


Suffixes. 

suffix. 


See "Adding a suffix" on page 88 for information about adding a 


2. The Server must be stopped before you import LDIF data. 


To import data from an LDIF file: 

1. In the Configuration Tool, click Import LDIF data in the task list on the left. 

2. In the Import LDIF data window on the right, type the path and file name of 
the LDIF file in the Path and LDIF file name field. Alternatively, you can click 
Browse to locate the file. 

3. Click Standard import if you want to import the data using the ldif2db utility, 
or click Bulkload if you want to import the data using the bulkload utility. 

Note: For large LDIF files, the bulkload utility is a faster alternative to ldif2db 
if you are importing a large number of entries. 

4. If you want trailing spaces removed from the data, select the Remove trailing 
spaces in Standard import or Bulkload check box. 
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5. If you clicked Bulkload, click the type or types of checking you want to 

perform on the LDIF data in the Bulkload options box. You can select one or 
more of the following: 

• Enable Schema checking 

• Enable ACL checking 

• Enable password policy 
Click Import. 

Note: After loading large amounts of data, especially after populating the database 
using bulkload, be sure to optimize the database. This can make a 
significant improvement to the performance of the database 

Validating LDIF data without adding it to the database 

To validate the data in the LDIF file without adding it to the database: 

1. In the Configuration Tool, click Import LDIF data in the task list on the left. 

2. In the Import LDIF data window on the right, type the path and file name of 
the LDIF file in the Path and LDIF file name field. Alternatively, you can click 
Browse to locate the file. 

3. Click Data validation only. 

4. Click Import. 

Exporting LDIF data 

Betöre you export LDIF data, be sure that you have enough space to export all the 
data. 

To export data from the database to an LDIF file: 

1. In the Configuration Tool, click Export LDIF data in the task list on the left. 

2. In the Export LDIF data window on the right, type the path and file name of 
the LDIF file in the Path and LDIF file name field. Alternatively, you can click 
Browse to locate the file. 

3. If you want to overwrite the data in an existing file, select the Overwrite if file 
exists check box. 

4. If you want to export the creatorsName, createTimestamp, modifiersName, and 
modifyTimestamp operational attributes, select the Export operational 
attributes check box. 

These operational attributes are created and modified by the Server when a 
directory entry is created or modified; they are also modified any time the 
entry is modified. They contain information about the user who created or 
modified the entry and the time the entry was created or modified. 

5. If you want to export only some of the data in the directory, complete the 
Subtree DN field. The subtree DN identifies the top entry of the subtree that is 
to be written to the LDIF output file. This entry, plus all entries below it in the 
directory hierarchy, are written to the file. If you do not specify this Option, all 
directory entries stored in the database are written to the output file based on 
the suffixes specified in the IBM Directory Server configuration file. 

6. Click Export. 

Backing up, restoring, and optimizing the database 

You can use the Configuration Tool for the following database tasks: 

• Backing up the data in the database 
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• Restoring data and, optionally, configuration settings that were previously 
backed up 

• Updating statistics related to the data tables for the purpose of improving 
performance and query speed 

Backing up the database 

The Server must be stopped betöre you can back up the database. 

To back up the database: 

1. In the Configuration Tool, click Backup database in the task list on the left. 

2. In the Backup database window on the right, in the Backup directory field, 
type the directory path in which to back up all directory data and configuration 
settings. Alternatively, click Browse to locate the directory path. 

3. Click one of the following: 

• Create backup directory as needed if you want the directory to be created if 
it does not exist. 

• Abort if backup directory is not found if you do not want the directory you 
specified to be created. If this directory does not exist and you select this 
Option, the database will not be backed up. 

4. Click Backup. 

Restoring the database 

The Server must be stopped betöre you can restore the database. 

To restore the database: 

1. In the Configuration Tool, click Restore database in the task list on the left. 

2. In the Restore database window on the right, in the Backup directory field, 
type the path in which the directory was previously backed up. Alternatively, 
click Browse to locate the path. 

3. If you want to restore only the directory data, but not the configuration 
settings, select the Restore data only (not configuration settings) check box. If 
you want to restore both data and configuration settings, be sure the check box 
is cleared. 

4. Click Restore. 

Optimizing the database 

The Server must be stopped betöre you can optimize the database. 

Optimize the database to update statistics related to the data tables; this can 
improve performance and query speed. Perform this action periodically or after 
heavy database Updates; for example, after importing database entries. 

1. In the Configuration Tool, click Optimize database in the task list on the left. 

2. In the Optimize database window on the right, click Optimize. 


Using the Idapcfg utility 


The Idapcfg utility is a command-line tool that you can use to configure IBM Tivoli 
Directory Server. You can use Idapcfg instead of the Configuration Tool for the 
following tasks: 


Setting the administrator D N and password. See "Setting the administrator DN 


and password" on page 93 for instructions. 


Configuring a database. See "Configuring the database" on page 93 for 
instructions. 
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• Cha nging the password of the DB2 administrator in the Serv er configuration file. 


See 

"Changing the DB2 administrator password" on page 95 

for instructions. 

Enabling the change log. See 

"Enabling the change log" on page 95 

for 


instructions. 


Adding a suffix. See "Adding a suffix" on page 95| for instructions. 


Setting the administrator DN and password 

To define the administrator DN and password, type the following at a command 
prompt: 

ldapcfg -u "adminDN" -p password 


where 

• adminDN is the administrator DN you want. 

• password is the password for the administrator DN. 

Note: Double byte character set (DBCS) characters in the password are not 
supported. 

For example: 

ldapcfg -u "cn=root" -p secret 


Note: Do not use single quotation marks (') to define DNs with spaces in them. 
They are not interpreted correctly. 

To accept the default administrator DN of cn=root and define a password, type the 
following command at a command prompt: 
ldapcfg -p password 


where password is the password for the administrator DN. 

For example: 
ldapcfg -p secret 


Configuring the database 

When you configure the database, you must always specify a user ID and 
password on the command line. The instance name is, by default, the same as the 
user ID. The user ID must already exist and must meet certain requirements. If you 
want a different instance name you can specify it using the -t Option. This name 
must also be an existing user ID that meets certain requirements. See "Before you 


configure: creating the DB2 database owner and database instance owner" on 


page 85 for information about these requirements on both Windows and UNIX 
platforms. 


Attention: 

1. Before configuring the database, be sure that the environment variable 
DB2COMM is not set. 

2. Be sure to read this section before you use the ldapcfg command. Some 
options (such as -f and -s) have changed. Unpredictable results will occur if 
you use them incorrectly or as they were used in previous releases. 

3. The Server must be stopped before you configure the database. 


To configure a database, the following options are available: 
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-1 location 

Specifies the location of the DB2 database. For UNIX Systems, this is a 
directory name such as /home/ldapdb. For Windows Systems, this is a 
drive letter such as C: 

-a id Specifies the DB2 administrator ID. 

-c Creates a database in UTF-8 format. (The default, if you do not specify this 
Option, is to create a database that is in the local code page.) 

-i Destroys any instance currently configured with IBM Tivoli Directory 
Server. All databases associated with the instance are also destroyed. 

-w passzvord 

Specifies the DB2 administrator password. 


Note: The ldapcfg -w passzvord command no longer changes the System 
passwo rd of the database owner. It only Updates the ibmslapd.co nf 


file. See pChanging the DB2 administrator password" on page 95|for 


information about using the -w Option alone. 


-d database 

Specifies the DB2 database name. 


-t dbinstance 

Specifies the database instance. If you do not specify an instance, the 
instance name is the same as the DB2 administrator ID. 


-o Overwrites the database if one already exists. By default, the database 
being overwritten is not deleted. 

-r Destroys any database currently configured with IBM Tivoli Directory 
Server. 


-f Specifies the full path of a file to redirect output into. If used in 
conjunction with the -q Option, only errors will be sent to the file. 

-q Runs in quiet mode. All output is suppressed except for errors. 

-n Runs in no prompt mode. All output is generated except for messages 
requiring user interaction. 


To configure a database on /home/ldapdb2 with a DB2 administrator name of 
db2admin, a password of mypassword, and a database name of dbName when 
there is not an existing database configured (that is, the first time), the command 
is: 

ldapcfg -1 /home/1 dapdb2 -a db2admin -w mypassword -d dbName 


To configure a database on /home/ldapdb2 with a DB2 administrator name of 
db2admin, a password of mypassword, a database name of dbName, and an 
instance name of dbinstance when there is not an existing database configured 
(that is, the first time), the command is: 

ldapcfg -1 /home/1dapdb2 -a db2admin -w mypassword -d dbName -t dbinstance 

To configure a database on /home/ldapdb2 when a database is already configured 

and you want to overwrite it, the command is: 

ldapcfg -1 /home/1dapdb2 -a db2admin -w mypassword -d dbName -o 


For infor mation about unconfiguring a database usin g the ldapucfg command-line 


utility, see p Unconfiguring the database" on page 99 
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Changing the DB2 administrator password 

If you change the password for the DB2 administrator through the operating 
System, you must also change it using ldapcfg with the -w Option. This changes 
the password in the Server configuration file. Similarly, if you change the password 
for the DB2 administrator with the ldapcfg command, you must also change it 
through the operating System. 

To change the DB2 administrator password to newpassword, type the following 
command: 

ldapcfg -w newpassword 

Note: Double byte character set (DBCS) characters in the password are not 
supported. 

Enabling the change log 

To enable the change log use the -g Option. The change log is a separate database 
that records changes to the main directory. You need an additional 30 MB to create 
it. 


Note: The Server must be stopped before you enable the change log. 

To set the maximum number of entries that will be logged in the change log, use 
the -m maxentries Option. If you do not specify a maximum number, the default of 
0 means there is no limit to the number of entries. 


To set the time for which entries will be kept in the change log, use the -y maxdays 
and -h maxhours options. For example, to set the age limit to 30 days and 12 hours, 
type ldapcfg -y 30 -h 12. 


For infor mation about disabling the change log using the ldapucfg command-line 


utility, seepUnconfiguring the database" on page 99 


Ad ding a suffix 

To add Suffixes to the ibmslapd.conf file using the ldapcfg utility, the command is: 
ldapcfg -s "suffix" 


where suffix is the suffix you want to add. 

Note: The Server must be stopped before you add suffixes. 


Importing or exporting data 

To import data from an LDIF file, you can use either the ldif2db or the bulkload 
utility. 

To export data to an LDIF file, you can use the db2ldif utility. 

See the IBM Tivoli Directory Server Version 5.2 Administration Guide for instructions. 


Backing up, restoring, and optimizing the database 

The following sections describe how to back up, restore, and optimize the database 
using command line Utilities. 


Chapter 12. Configuration 95 





Backing up the database using the dbback command 

To back up the directory database using the command line, use the dbback utility. 
Notes: 

1. The Server must be stopped before you back up the database. 

2. This utility uses the ibmslapd.conf configuration file. 

The following options are available: 

-d directory 

Specifies the directory in which you want to back up the database. The 
user ID that owns the configured directory database must have write 
access to this directory. 

-w filename 

Specifies the full path and file name of a file into which you want to 
redirect output. 

Restoring the database using the dbrestore command 

To restore the directory database using the command line, use the dbrestore utility. 

Note: The Server must be stopped before you restore the database. 

The following options are available: 

-d directory 

Specifies the directory from which to restore the database. 

-n Specifies not to restore the ibmslapd.conf file. 

-w filename 

Specifies the full path and file name of a file into which you want to 
redirect output. 

Optimizing the database using the runstats command 

To optimize the directory database using the command line, use the runstats 
command. This command Updates statistics related to the data tables. 

Note: The Server must be stopped before you optimize the database. 

The following Option is available: 

-f config_file_name 

Specifies the name of the configuration file. If not specified, ibmslapd.conf 
is used. 
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Chapter 13. After you install and configure 

After you install the Server, set the administrator DN and password, and configure 
the database, you can start the directory Server. If you installed the Web 
Administration Tool and the embedded version of WebSphere Application Server - 
Express, you can start the application Server. 


Starting the directory Server 

To start the directory Server, type ibmslapd at a command prompt. 

On Windows Systems, you can also start and stop the Server through the Services 
f older. 

• To start the Server, click IBM Tivoli Directory Server V5.2. Then click Actions 
—> Start. 

• To stop the Server, click IBM Tivoli Directory Server V5.2. Then click Actions 
—> Stop. 

For information about starting and stopping the Server and performing other 
administrative tasks using the Web Administration Tool and the command line, see 
the IBM Tivoli Directory Server Version 5.2 Administration Guide. 


Starting the application Server to use the Web Administration Tool 

To start the application Server if you are using the embedded version of 
WebSphere Application Server - Express as your application Server: 

1. Go to the bin subdirectory of the directory where you installed the embedded 
version of WebSphere Application Server - Express. If you used the 
InstallShield GUI to install, this is the appsrv/bin subdirectory of the directory 
where you installed IBM Tivoli Directory Server. 

2. Type one of the following at a command prompt. 

• startServer serverl.bat for Windows Systems 

• startServer. sh serverl for UNIX Systems 


Stopping the application Server 

Use one of the following commands to stop the application Server: 

• On Windows Systems: 
k/ASPathXbi n\stopServer.bat serverl 

• On UNIX Systems: 

WASPath/bi n/stopServer. sh serverl 

where WASPath is the path where you installed the embedded version of 
WebSphere Application Server - Express. 


Starting the Web Administration Tool 

To start the Web Administration Tool: 

1. After you have started the application Server, from a Web browser, type the 
following address: http:/ /localhost:9080/IDSWebApp/IDSjsp/Login.jsp 
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The IBM Tivoli Directory Server Web Administration login page window is 
displayed. 

Note: This address works only if you are running the browser on the Computer 
on which the Web Administration Tool is installed. If the Web 
Administration Tool is installed on a different Computer, replace 
localhost with the hostname or IP address of the Computer where the 
Web Administration Tool is installed. 

For Information about using the Web Administration Tool, see the IBM Tivoli 
Directory Server Version 5.2 Administration Guide. 
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Chapter 14. Unconfiguring the database and uninstalling IBM 
Tivoli Directory Server 


To remove IBM Tivoli Directory Server from your Computer, you must first 
unconfigure the database, and then uninstall the Server. Use the sections in this 
chapter to unconfigure and remove the Server. 


Unconfiguring the database 


You can use the Configuration Tool (ldapx cfg) to unconfigure the database. See 


'Unconfiguring the database" on page 87 for information. 


The options for the ldapucfg utility are similar to those for the ldapcfg utility. (See 


'Using the ldapcfg utility" on page 92 for information about ldapcfg.) However, in 


the ldapucfg utility: 

• The -d Option removes the currently configured DB2 database. It also removes 
the change log if enabled. 


- The -r Option, used with -d, destroys any database currently configured with 
IBM Tivoli Directory Server without prompting for information. 

- The -i Option, used with -d, destroys any instance currently configured with 
IBM Tivoli Directory Server without prompting for information. All databases 
associated with the instance are destroyed also. 

• The -g Option disables the change log. Disabling the change log removes the 
change log database and any data (change records) that are in it. The -g Option 
does not affect the main directory database. 


Note: If you are unconfiguring a UNIX-based System, you must run ldapucfg from 
a directory that has execute permission for other. That is, the directory must 

have at least the-x permission set. If this permission is not set, you 

might see an error message and experience a subsequent failure. To set this 
permission for your current directory, you can enter the command: 
chmod o+x . 


The period ( . ) in the command is required to indicate the current directory. 

Attention: Back up any existing Schema files and your directory betöre 
performing the following steps. 

To remove the DB2 configuration information: 

1. On UNIX platforms, log in as root. On Windows Systems, log on as an 
administrator. 

2. Stop all clients that are connected to the IBM Tivoli Directory Server Server. 

3. Use the ldapucfg utility to remove the DB2 configuration information from the 
Server. At the command prompt, enter: 

ldapucfg -d 

You might be prompted for more information about removing the database and 
the DB2 instance. 
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Uninstalling IBM Tivoli Directory Server 

After you unconfigure, use the following sections to uninstall IBM Tivoli Directory 
Server. 


Uninstalling using the InstallShield GUI 

The following sections describe how to uninstall the IBM Tivoli Directory Server 
using the InstallShield GUI. 


Notes: 


1. If you installed IBM Tivoli Directory Server using the InstallShield GUI, use the 
InstallShield GUI to uninstall. 


2. Betöre you uninstall the embedded version of Web Sphere Application Server - 


Express, you must stop the application Server. (See "Stopping the application 


Server" on page 97 for Information.) Betöre you start to uninstall, close all 


Windows to make sure that the installpath / appsrv directory is not in use. 


After uninstalling embedded version of WebSphere Application Server - 
Express, verify that the installpath /appsrv directory is removed. If it is not, you 
must remove it betöre you attempt to install again. 


Windows platforms 

To remove IBM Tivoli Directory Server on a Windows platform using the 
InstallShield GUI: 

1. Click Start —> Settings —> Control Panel —> Add/Remove Programs. 

2. Select IBM Tivoli Directory Server 5.2. Click Change/Remove. 

3. Select the language you want to use during the uninstallation procedure. Click 

OK. 

4. On the Welcome window, dick Next. 

5. Select the features you want to uninstall. Click Next. 


Note: If you migrated from an IBM Directory Server 4.1 installation in which 
the DMT and Java feature was installed, DMT and Java is in the list of 
features to be uninstalled. Select this feature to be removed. Until you 
remove this feature with the InstallShield GUI, it will continue to display 
in the list of features to uninstall. 

6. On the confirmation window, to uninstall the selected features, dick Next. 


UNIX platforms 


Note: The InstallShield GUI is not available on iSeries Linux, pSeries Linux, 
zSeries Linux, and HP-UX. 


To remove IBM Tivoli Directory Server on a UNIX platform using the InstallShield 
GUI: 

1. At a command prompt, go to the IBM Tivoli Directory Server _uni nst directory. 

• On AIX and Linux operating Systems, this directory is/usr/ldap/_uninst. 

• On the Solaris operating System, this directory is /opt/IBMldapc/_uninst. 

2. Run the uninstall command: 

./uninstal1 

3. Select the language you want to use during the uninstallation. Click OK. 

4. On the Welcome window, dick Next. 

5. Select the features you want to uninstall. Click Next. 
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6. Qn the confirmation window, to uninstall the selected features, click Next. 


Uninstalling using operating System Utilities 

After you remove the configuration Information, you can uninstall IBM Tivoli 
Directory Server. 


Notes: 


1 . 


2 . 


If you installed IBM Tivoli Di rectory Server using the InstallShield GUI, 
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uninstall using the process in "Uninstalling using the InstallShield GUI" on 


Removing IBM Tivoli Directory Server does not remove any databases you 
created using IBM Tivoli Directory Server. 


AIX operating System 

To uninstall the IBM Tivoli Directory Server Server or dient, type the following: 
instaU p -u ldap 


This removes only IBM Tivoli Directory Server filesets. It does not remove other 
components such as DB2. 

Linux operating System 

Betöre removing IBM Tivoli Directory Server, ensure that the Server is stopped and 
then issue the following commands. 

Note: If the IBM Tivoli Directory Server Server is installed, you must remove the 
Server betöre you remove the dient (the reverse order of the Installation). 

rpm -ev ldap-server-5.2-1 
rpm -ev ldap-webadmin-5.2-1 
rpm -ev ldap-client-5.2-1 

rpm -ev ldap-msg-xxx-5.2-l.i386.rpm (Where xxx is 
language dependent.) 

rpm -ev ldap-html-xxx-5.2-l.i386.rpm (Where xxx is 
language dependent.) 

Solaris operating System 

You can uninstall IBM Tivoli Directory Server using the admintool utility or from a 
command line using pkgrm. 

AdminTool removal: To remove IBM Tivoli Directory Server using the admintool 
utility: 

1. Log in as root. 

2. Type the following at a command prompt: 
admintool& 

The Users window is displayed. 

3. Click Browse —> Software. The Software window is displayed. 

4. Select the packages to delete from the displayed list. 

IBM Tivoli Directory Client 
IBM Tivoli Directory Documentation 
IBM Tivoli Directory Messages 
IBM Tivoli Directory Server 
IBM Tivoli Directory Webadmin 

5. Click Edit —> Delete. The AdminTool: Wartung window is displayed. 

6. Click Delete. 
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Note: With the removal of dient and Server packages, the System prompts you 
with the query, This package contains Scripts which will be executed 
with super-user permission during the process of installing the 
package. Continue with the removal of this package? Type y to 
continue. If you are removing the Server package, you also see the 
prompt, Do you want to remove these as setuid and/or setgid files? 
Type y to continue. 

7. After the package is removed, the Software window is displayed. When the 
removal is complete, type q to return to the command prompt. 

Installing IBM Tivoli Directory Server using the default settings creates the 
opt/IBMldaps and opt/IBMldapc directories. If you uninstall IBM Tivoli Directory 
Server, the removal procedure might not remove these directories. If one or both of 
these directories exist, they create a problem if you later reinstall IBM Tivoli 
Directory Server in non-default directories. 

To ensure that the directories are completely removed issue this command at a 
command line: 

rm -fr /opt/IBMldaps /opt/IBMldapc 

You can now reinstall IBM Tivoli Directory Server to a non-default directory. 

Note: This problem does not occur if you reinstall to the default directories. 

Command line removal: To see what IBM Tivoli Directory Server components are 
installed, type: 
pkginfo | grep -i ibml 

The output displayed is similar to the following: 

IBMldapc IBM Tivoli Directory Client 
(spare) 5.2.0.0 

IBMldaps IBM Tivoli Directory Server 

(spare) 5.2.0.0 

IBMldixxx IBM Tivoli Directory documentation 
(spare) 5.2.0.0 

IBMldmxxx IBM Tivoli Directory messages 

(spare) 5.2.0.0 

IBMldapw IBM Tivoli Directory Webadmin 

(spare) 5.2.0.0 

Use pkgrm to remove the desired packages. For example: 
pkgrm IBMldaps IBMldapc IBMldapw 

You can specify either the package name or its listing number. Remove the 
packages in the reverse order of the Installation sequence. (The order in which you 
remove the Web Administration Tool is not important.) 

HP-UX 

To remove IBM Tivoli Directory Server, complete the following steps: 

1. At a command prompt, type swremove 

2. Select the installed IBM Tivoli Directory Server. 

3. Click Actions —> Mark For Remove. 

4. Click Actions —> Remove/Uninstall. 

5. Click OK. 

6. When removal is complete, click Done. 


102 


IBM Tivoli Directory Server: Installation and Configuration Guide 


7. Click File —> Exit. 
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Chapter 15. Troubleshooting 


If you are having problems installing or configuring IBM Tivoli Directory Server 
5.2, refer to this section for possible fixes. 


InstallShield GUI installation 

If installation does not complete, the first place you can look for information is the 
ldapinst.log file. If the installation destination directory (instnll_directory) was 
created, this log is in the install_directory root directory. For example, on a Windows 
System, the ldapinst.log file is, by default, in c:\Program Files\IBM\LDAP\. If 
install_directory was not created before the installation failed, the log might be in a 
temporary directory. To find it, search for "ldapinst.log". Review this log for any 
messages about why the installation failed. 

Because some of the LDAP features require corequisite products, it is possible that 
a failure in a corequisite installation caused the IBM Tivoli Directory Server 
installation to fail. For example, if the Server feature is being installed, but the DB2 
installation fails, the Server feature cannot be installed. 

Logs used by the InstallShield GUI when installing embedded version of 
WebSphere Application Server - Express are: 

On Windows platforms 

• Documents and SettingsX «send X Local Settings\Temp\installApp.log 

• Documents and SettingsX «send X Local Settings\Temp\installAppErr.log 

• Documents and SettingsX «send XLocal Settings\Temp\configApp.log 

• Documents and SettingsX «send XLocal Settings\Temp\configAppErr.log 

On UNIX platforms 

• / tmp / install App .log 

• / tmp / install AppErr. log 

• /tmp/configApp.log 

• / tmp / config AppErr. log 

Logs used by the InstallShield GUI when installing and uninstalling DB2 on 
Windows are: 

When installing 

• Documents and SettingsX userid XLocal Settings\Temp\DB2setup.log 

• Documents and SettingsX userid X Local Settings\Temp\db2wi.log 

• Documents and SettingsX userid X Local Settings\Temp\db2inst.log 

• Documents and SettingsX «sendXLocal Settings\Temp\db2insterr.log 

When uninstalling 

• Documents and SettingsX «send X Local Settings\Temp\DB2remove.log 

• Documents and SettingsX «send X Local Settings\Temp\db2uninst.log 

• Documents and SettingsX «send X Local Settings\Temp\db2uninsterr.log 

• Documents and SettingsX «send X Local Settings\Temp\db2uninsttrc.log 
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Failed installation 

Another reason for an installation failure is lack of disk space. IBM Tivoli Directory 
Server attempts to verify that there is enough space and generates messages if the 
required disk space is not found, but sometimes the InstallShield GUI cannot 
progress far enough to issue a message. Betöre installing, make sure you have the 
recommended free disk space. All platforms use temporary space, and in addition, 
UNIX platforms use the /var directory. When installation is first run, the JVM is 
installed to the installation directory, so be sure that your installation destination 
directory has enough space. 


Recovering from a failed installation 

The first step to recovering from a failed installation is to run the InstallShield 
Uninstall GUI to clean up any registry entries that might have been made by the 
installation process. If you do not run the InstallShield Uninstall GUI, the 
InstallShield GUI might fail the next time you try to use it to install IBM Tivoli 
Directory S erver. See the following sections for information organiz ed by operating 


System. SeepUninstalling using the InstallShield GUI" on page 100|for information 


about uninstalling using the InstallShield GUI. 


When installing on UNIX platforms, the InstallShield GUI uses the native packages 
(for example, AIX installp files. Solaris .pkg files, or RPM files) to install IBM Tivoli 
Directory Server. Because of this, you will see these packages when you run the 
platform commands (such as rpm -qa on the Linux operating System) to query 
what is installed. Even though you can use the platform commands (such as rpm 
-e) to uninstall, you must use the InstallShield GUI to uninstall so that the 
InstallShield Registry is cleaned up. 


Windows operating System 

On Windows platforms: 


1 . 

2 . 


Uninstall IBM Tivoli Directory Serv er using the InstallShield GUI. See 


'Windows platforms" on page 100 


for information. 


Remove the IBM Tivoli Directory Server installation directory. The default 
directory is C:\Program Files \IBM \LDAP. 


3. Correct any other problems listed in the ldapinst.log file. 

4. Use regedit to remove the LDAP entry in the registry: 
HKEY_LOC AL_MACHINE \ SOFTWARE \ IBM\ LD AP 


5. Remove the following environment variables: 


LDAPHome=C:\Program Files\IBM\LDAP 
LIBPATH=C: \ Program Files \ IBM \ LDAP \JAVA 
LOCPATH=C:\Program Files\IBM\LDAP\bin\locale 
NLSPATH=C:\Program Files\IBM\LDAP\NLS\MSG\%L\%N 
Path=C: \ Program Files \ IBM \ LDAP \bin 
TISDIR=C:\Program Files\IBM\LDAP 


Note: The InstallShield GUI also sets the LANG environment variable 

(LANG=enusl252); however, because other programs might use this 
environment variable, it is not in the list of environment variables to 
remove. 


AIX operating System 

On the AIX operating System: 


1. Uninstall IBM Tivoli Di rectory Server using the InstallShield GUI. See |"UNIX 


platforms" on page 100 for information. 
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2. Type the following at a command prompt: 
lslpp -1 |grep -i ldap 

3. If any packages that were installed by IBM Tivoli Directory Server were left on 
the System, use installp to uninstall them, as follows: 

installp -u packagename 

4. Remove the /usr/ldap directory. 

5. Correct any other problems that were listed in the ldapinst.log. 


Note: AIX operating System installation generates an additional log called 
installp_isje.log. You must review this log to determine if there were 
failures in the installp commands issued by the InstallShield GUI. 


Linux operating System 

On the Linux operating System: 

1. Uninstall IBM Tivoli Di rectory Server using the InstallShield GUI. See 


platforms" on page 100 for Information. 


'UNIX 


2. Type the following at a command prompt: 
rpm -qa | grep -i ldap 


If any packages that were installed by IBM Tivoli Directory Server were left on 
the System, use the rpm command to uninstall them. For example: 
rpm -ev packagenames 

3. If an rpm command hangs, try running the command with the noscripts 
Option: 

rpm -ev --noscripts packagenames 

4. Remove the /usr/ldap directory. 

5. Correct any other problems that were listed in the ldapinst.log file. 

Solaris operating System 


On the Solaris operating System: 

1. Uninstall IBM Tivoli Di rectory Server using the InstallShield GUI. See "UNIX 


platforms" on page 100 for information. 


2. Type the following at a command prompt: 
pkginfo | grep -i ldap 

3. If any packages that were installed by IBM Tivoli Directory Server were left on 
the System, use pkgrm to uninstall them: 

pkgrm packagenames 


Note: If you encounter problems removing these packages, try to remove the 
directories containing the packages from /var/sadm/pkg 

4. Remove the /opt/IBMldapc and /opt/IBMldaps directories, and any other 
directories left from the installation, such as a language directory. 

5. Correct any other problems that were listed in the ldapinst.log. 


Configuration 

The following sections contain troubleshooting information about configuration. 

DB2 license file expired 

If you see the following message during the configuration of the database 
Failed to Start database manager for instance: ldapdb2 


Chapter 15. Troubleshooting 107 







you might have a problem with your electronic DB2 license. To verify this, type the 

following at the command prompt: 

db2start 

If your license is correct, you see the message: 

SQL1063N DB2START processing was successful. 

Otherwise, you see a message indicating that your license has expired or will 
expire in some number of days. 

If there is a problem with your electronic DB2 license, one of the following 
situations might be the cause: 

• You have a demonstration license. 

1. To Upgrade your DB2 product from a demonstration license to a product 
license, copy the license file from the DB2 CD to the System where DB2 is 
installed; you do not need to reinstall DB2. 

Note: Your Proof of Entitlement and License Information booklets identify 
the products for which you are licensed. 

2. After you have a valid license on the System, run the following command to 
activate the license: 

db21icm -a license_Jilename 

• You have purchased a different DB2 product. 

If you install a DB2 product as Try-and-Buy, and you buy a different DB2 
product, you must uninstall the Try-and-Buy product and then install the new 
one that you have purchased. Type the following at a command prompt to 
Upgrade your DB2 license: 
db21icm -a license_Jilename 

Note: license_filennme is the name of the license file; for example, db2udbee.lic. 

Translated titles might truncate in Configuration Tool 

In the Configuration Tool, titles in the pop-up Windows might truncate depending 
upon the language. If this problem occurs, depending on your display, you can 
resize the the window accordingly. 

Interrupting Configuration Tool database tasks causes an 
incorrect Status for the files 

If you are using the Configuration Tool to configure, unconfigure, import, export, 
backup, restore, or optimize a database and the process is interrupted by, for 
example, a Segmentation fault, the Status of the files is returned incorrectly. When 
you try to restart the process, the message 
Task is already running. 

is displayed. This is because the status output for the process is monitored through 
files in the $LDAPHOME/tmp folder that were not deleted when the process was 
interrupted. 

To restart the interrupted process, you must first manually delete the following 
two files: 

• $LDAPHOME/tmp/ldapcfg.dat 

• $LDAPHOME/tmp/ldapcfg.stat 
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Java failure when configuring an existing instance and 
database 

If you are using United Linux 1.0, Red Hat Advanced Server 2.1, or AIX with DB2 
v8.1 and you are configuring an existing instance and database, a Java failure 
might occur after the configuration is completed. This failure, however, can be 
ignored. The instance and database are successfully configured. For example, if 
you issued the command: 

ldapcfg -a <myuserID> -w <mypassword> -d <mydatabase> -1 /hom e/<myuserID> 

the following message might be displayed after the completion of the configuration 
process: 

IBM Directory Server Configuration complete. 

Unexpected exception has occurred: 

ReportedExceptionCode = b, at ExceptionAddress = 74736574 

ACCESS_VI0LATI0N occured outside Interpreter and JITed code 
ExecMode = EXECM0DE_BYTEC0DE 
stackpointer=0xbffc7370 
Writing Java core file _ 

Written Java core to /var/1dap/javacore9151. 1035571351.txt 
Abort 

Error when starting the Configuration Tool on AIX 

The following error might occur when you start the Configuration Tool on AIX: 

# ldapxcfg exec(): 0509-036 Cannot load program ldapxcfg 

because of the following errors: 

0509-022 Cannot load module /usr/1dap/1ib/1ibdbadmin.a. 

0509-150 Dependent module /usr/1dap/1ib/1ibdb2.a(shr_64.o) could not . 
0509-152 Meniber shr 64.o is not found in archive 


If this error occurs, check the following: 

• You have the correct version of DB2 (DB2 8.1, FixPak 2, 64-bit) 
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• You have 64-bit hardware. See |" Verifying that AIX hardware is 64-bit" on 
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• You are r unning a 64-bit kernel. See "Verifying that the AIX kernel is 64-bit" on 


• You migrated your database to 64-bit. See "Migration from IBM Directory Server 


|version 4.1 or 5.1 for AIX installations" on page 37 


Configuration programs terminate on AIX 

If the configuration programs (ldapcfg, ldapxcfg, and ldapucfg) terminate 
immediately when you start them, check the LIBPATH. If the /re/bin/classic 
directory of a JVM other than the one provided with IBM Tivoli Directory Server 
comes betöre the %LDAPHOME%/java/bin/classic directory, do one of the 
following: 

• Remove the extraneous JVMs from the LIBPATH. 

• Place the %LDAPHOME%/java/bin/classic directory in front of the other JVM 
directories in the LIBPATH. 


DB2 does not configure properly 

Note: Betöre configuring the database, be sure that the environment variable 
DB2COMM is not set. 
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If a failure occurs during database configuration, usually one of the following is 
the cause: 


The user ID was not set up correctly. See "Before you configure: creating the 


DB2 database owner and database instance owner" on page 85 

for information. 

The permissions for the user ID are not correct. See 

"Before vou confieure: 

for 

creating the DB2 database owner and database insta 

nee owner" on page 85 


information. 


• Remnants of a previous database or DB2 instance with the name you specified 
for the database are present on the System. 

• There is not enough space in the location you specified. 


Check to see if there are problems with any of these items, and then try to 
configure again after you fix the problem. 

Note: If you use the Configuration Tool to configure and configuration fails, the 
Configuration Tool does some cleanup, and this can sometimes fix the 
problem. If you do not find any of the problems in the list, try configuring 
again. 

Database performance is poor 

For detailed information about improving performance (including information 
about butter pools), see the IBM Tivoli Directory Server Version 5.2 Performance 
Tuning Guide. 

Server does not Start after making changes to configuration 
files attributes 

The attributes defined in IBM Tivoli Directory Server configuration files are 
significant to only the first 18 characters. Names longer than 18 characters are 
truncated to meet the DB2 restriction. 


If you want to index the attribute, the limit is further restricted to 16 characters. If 
you add attributes longer than 18 characters, the Server might not start. For 
additional information, see the Server Administration helps under Reference, 
Directory Schema. 

Transaction log is full 

The following messages might be displayed at IBM Tivoli Directory Server startup 
if the Schema defines too many attributes: 

SQL0965C The transaction log for the database is full 

SQLSTATE=57011 slapd unable to Start because all backends failed to configure 

You might need to increase the DB2 transaction log sizes by typing: 

db2 update db cfg for ldaptest using logprimary X 
db2 update db cfg for ldaptest using logsecond X 

where X is greater than what is currently defined. 

Configuration Tool 

The following sections apply to the Configuration Tool. 


110 


IBM Tivoli Directory Server: Installation and Configuration Guide 















Some keyboard commands fail on Browse Windows 

You might not be able to use the Space, Enter or arrow keys on the keyboard to 
view the contents of the Look in menu on a Browse window. To work around this 
problem, press Alt+Down Arrow to display the Look in menu, and use the arrow 
keys to select a drive. 

NullPointer exception when exiting the Configuration Tool 

If you exit the Configuration Tool after entering an invalid database name, a 
NullPointer exception occurs in the command window where the ldapxcfg 
command was executed. The exception does not affect the configuration process. 


Debugging 

The following sections provide debugging Information. 

Error opening slapd.cat on Windows 

On Windows Systems, you might receive an error message that includes the 
following: 

Error opening slapd.cat 

Plugin of type DATABASE is successfully loaded from C:/Program Fi 1es/IBM/LDAP/bi 
n/libback-config.dll. 

Error opening rdbm.cat 

If this occurs, check the NLSPATH environment variable. The installation program 
sets the NLSPATH environment variable as a System environment variable. 
However, if the System also has the NLSPATH variable set as a user environment 
variable , the user NLSPATH environment variable Overrides the System setting. 

To correct this, you can append the NLSPATH information from the System 
environment variable to the information in the user environment variable. 

Logging on to the Web Administration Tool console on 
Internet Explorer 

On Windows, Web Administration errors occur if all the following conditions exist: 

• The Web Administration Tool is installed locally 

• The Web Administration Tool runs on a locally installed version of Microsoft 
Internet Explorer 

• The Web Administration Tool uses the locally installed embedded version of 
WebSphere Application Server - Express 

• An IP address or hostname is part of the URL used to access the Web 
Administration Tool 

If these conditions exist on your Computer, avoid errors by using localhost instead 
of an IP address or hostname when logging on to the Web Administration GUI 
console. 

For example, open an Internet Explorer Web browser and type the following in the 
Address field: 

http://localhost:9080/IDSWebApp/IDSjsp/Login.jsp 

Corruption of data entered in Web Administration Tool 

If data that you enter in non-English languages in the Web Administration Tool is 
corrupted, do the following: 
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On the embedded version of WebSphere Application Server - Express 

Edit the Server, xml file in the following directory: 

WAS_/)ome/appsrv/confi g/cel 1 s/Defaul tNode/nodes/Defaul tNode/servers/serverl 

Add the text shown in hold to the stanza as shown: 

<processDefinition xmi:type="processexec:JavaProcessDef" 
xmi:id="JavaProcessDef_l" 
executableName="${JAVA_HOME}/bin/java" 
executableTarget="com.ibm.ws.runtime.WsServer" 
executableTargetKind="JAVA_CLASS" 
workingDirectory="${USER_INSTALL_ROOT}"> 

<execution xmi:id="ProcessExecution_l" processPriority="20" runAsüser="" 
runAsGroup=""/> 

<monitoringPolicy xmi:id="MonitoringPolicy_l" pingInterval="60" 
maximumStartupAttempts="3" pingTimeout="3O0" autoRestart="true" 
nodeRestartState="STOPPED" /> 

<ioRedirect xmi:id="OutputRedirect_l" 

stdoutFi1ename="${SERVER_LOG_ROOT}/native_stdout.log" 
stderrFi1ename="${SERVER_LOG_ROOT}/native_stderr. 1 og"/> 

<jvmEntries xmi:id="JavaVirtualMachine_l" classpath="" bootClasspath="" 
verboseModeClass="false" verboseModeGarbageCol1ection="fal se" 
verboseModeJNI="false" initialHeapSize="0" 
maximumHeapSize="256" runHProf="false" hprofArguments="" 
debugMode="false" debugArgs="-Djava.compiler=NONE -Xdebug -Xnoagent 
-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=7777" 
genericJvmArguments=""> 

<systemProperties xmi:id="Property_10" 

name="client.encoding.override" value="UTF-8" required="false"/> 
</jvmEntries> 

On WebSphere Application Server 

On the WebSphere Administrative Console tree: 

• Select Servers. 

• Select Application Server. 

• Select the Server you want; for example, serverl. 

• Click Process Definition. 

• Click Java Virtual Machine. 

• Click Custom Properties. 

• Click the appropriate button for making a new property. 

• In the Name field, type cl ient.encoding.override. 

• In the Value column, type UTF-8. 

• Click Apply. 

• Stop and restart the WebSphere Application Server. 

DB2 errors logged 

In addition to the ibmslapd.log file, which can be accessed through the Web 
Administration Tool, DB2 errors are logged in the db2cli.log file. Both files are 
located in the var subdirectory of the IBM Tivoli Directory Server installation 
directory on Windows platforms. 

Note: The var subdirectory might include other DB2 files. 

Server errors are logged in the \var\ibmslapd.log file. 

DB2 errors are logged in the \var\db2cli.log file. 
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Server debug mode 

If the error logs do not provide enough information to resolve a problem, you can 
run the Server in a special debug mode that generates very detailed information. 
The Server executable ibmslapd must be run from a command prompt to enable 
debug output. The syntax is as follows: 
ldtrc on 

ibmslapd -h bitmask 

where the specified bitmask value determines which categories of debug output 
are generated. 

The ldtrc program Controls the LDAP Trace Facility. For example, the following 
ldtrc search: 

ldapsearch -1 60 -h ddejesus -D "o=IBM_US, c=US" -w 
secret -b "ou=Austin, o=IBM_US, c=US" "cn=Cindy Corn" 


might return Server output similar to the following: 

Connection received from 9.53.95.251 on socket 540. 

86366975 704 usec SQLA11ocStmt() => 0 

86367557 73 usec SQLBindParameterf) => 0 

86367974 33 usec SQLBindParameterf) => 0 

86435508 52 usec SQLFetch => 0 

86436039 49 usec SQLGetData => 0 

86436835 454 usec SQLFreeStmt => 0 

86458726 629 usec SQLA11ocStmt() => 0 

86459708 561 usec SQLPreparefSELECT distinct 

DB2ADMIN.LDAP_ENTRY.EID FROM DB2ADMIN.LDA 
P_ENTRY,DB2ADMIN.LDAP_DESC WHERE 
(DB2ADMIN.LDAP_ENTRY.EID=DB2ADMIN.LDAP_DESC.DE ID 
AND DB2ADMIN.LDAP_DESC.AEID=?) AND DB2ADMIN.LDAP_ENTRY.EID 
IN (SELECT EID FROM DB2ADMIN.CN WHERE CN_T= ?)) => 0 


Another way to enable Server debug mode is to activate the Server trace from 
startup. To do this, set the ibm-slapdStartupTraceEnabled environment variable to 
TRUE in the Server configuration file. There are configuration options for setting 
the level and routing the output to a file. 

The following example shows the ibm-slapdStartupTraceEnabled Option set to true: 

dn: cn=Configuration 
cn: Configuration 
ibm-slapdACLAccess: true 
ibm-slapdAdminDN: cn=root 
ibm-slapdAdminGroupEnabled: true 
ibm-slapdAdminPW: 

>14T/+cmSHfFQ8nKkYschiuw421kXnH6F0VP6NjfwlkBq3wlE65QBWCVczbcrt 
E++R7AEnKYFiBQFGBNJ0qYVny6ZmcXsFvhsniFKEpYFwLvLmxYFEpFuZkoPnju 
ttmTMMMogn/MKty288T8mc8JWMBlL+3gWWiW26y< 
ibm-slapdDerefAliases: always 
ibm-slapdErrorLog: /var/i bmslapd.log 
ibm-slapdMaxPendingChangesDispl ayed: 200 
ibm-slapdPort: 389 

#ibm-slapdPwEncryption must be one of none/imask/crypt/sha 
ibm-slapdPwEncryption: imask 

ibm-slapdServerId: 3a98a5d7-35c2-4c2b-a789-7255204efd4a 
ibm-slapdSizeLimit: 500 
ibm-slapdStartupTraceEnabled: true 
ibm-slapdSupportedWebAdmVersion: 2.0 

#ibm-slapdSysLogLevel must be one of 1/m/h (l=terse, h=verbose) 

ibm-slapdSysLogLevel: m 

ibm-slapdTimeLimit: 900 

ibm-slapdTraceMessageLevel: OxFFFF 
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ibm-slapdTraceMessagel_og: /var/i bmslapd.trace.log 
ibm-slapdVersion: 5.2 
objectclass: top 

objectclass: ibm-slapdConfigEntry 
objectclass: ibm-slapdTop 

You must run the ldtrc on command betöre the Server is started. 


The Server can be traced dynamically. 


To activate the LDAP Trace Facility, use ldtrc on or, from any machine where IBM 
Tivoli Directory Server is installed, issue the following command: 

Idaptrace -h <hostname> -d <adminDN> -w <adminpassword> -1 on 


Some other useful commands include: 

• To start tracing IBM Tivoli Directory Server: 

Idaptrace -h <hostname> -d <adminDN> -w <adminpassword> -1 

• To stop tracing IBM Tivoli Directory Server: 

Idaptrace -h <hostname> -d <adminDN> -w <adminpassword> -1 

• To turn off the LDAP Trace Facility: 

Idaptrace -h <hostname> -d <adminDN> -w <odminpassword> -1 

• To show the state of the LDAP Trace Facility: 

Idaptrace -h <hostname> -d <adininDN> -w <adminpassword> -1 

• To display the Idaptrace command usage information: 
Idaptrace -? 


on -t Start 

on -t stop 

off 

i nfo 


See Table 3 for descriptions of debug categories. 


Table 3. Debug categories 


Hex 

Decimal 

Value 

Description 

0x0001 

1 

LDAP_DEBUG_TRACE 

Entry and exit from 
routines 

0x0002 

2 

LDAP_DEBUG_PACKETS 

Packet activity 

0x0004 

4 

LDAP_DEBUG_ARGS 

Data arguments from 
requests 

0x0008 

8 

LD AP_DEBU G_CONN S 

Connection activity 

0x0010 

16 

LDAP_DEBUG_BER 

Encoding and decoding 
of data 

0x0020 

32 

LDAP_DEBUG_FILTER 

Search filters 

0x0040 

64 

LDAP_DEBUG_MESSAGE 

Messaging Subsystem 
activities and events 

0x0080 

128 

LDAP_DEBUG_ACL 

Access Control List 
activities 

0x0100 

256 

LDAP_DEBUG_STATS 

Operational statistics 

0x0200 

512 

LDAP_DEBUG_THREAD 

Threading statistics 

0x0400 

1024 

LDAP_DEBUG_REPL 

Replication statistics 

0x0800 

2048 

LDAP_DEBUG_PARSE 

Parsing activities 

0x1000 

4096 

LDAP_DEBUG_PERFORMANCE 

Relational backend 
performance statistics 
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Table 3. Debug categories (continued) 


Hex 

Decimal 

Value 

Description 

0x1000 

8192 

LDAP_DEBUG_RDBM 

Relational backend 
activities (RDBM) 

0x4000 

16384 

LDAP_DEBUG_REFERRAL 

Referral activities 

0x8000 

32768 

LDAP_DEBUG_ERROR 

Error conditions 

Oxffff 

65535 

ALL 


0x7fffffff 

2147483647 

LDAP_DEBUG_ANY 

All levels of debug 


For example, specifying a bitmask value of 65535 turns on full debug output and 
generates the most complete Information. 


When you are finished, issue the following command at a command prompt: 
ldtrc off 

It is recommended that you contact IBM Service for assistance with interpreting the 
debug output and resolving the problem. 

Verifying that AIX hardware is 64-bit 

The Server on AIX requires 64-bit hardware. To verify that your AIX hardware is 
64-bit, run the following command: 
bootinfo -y 

If the command returns 32, your hardware is 32-bit. 

In addition, if you type the command isattr -El procQ, the output of the 
command returns the type of processor for your Server. If you have any of the 
following, you have 64-bit hardware: RS64 I, II, III, IV, POWER3, POWER3 II or 
POWER4. 

Verifying that the AIX kernel is 64-bit 

To verify that you have the 64 bit kernel (/usr/lib/boot/unix_64) installed and 
running, run the following command: 
bootinfo -K 

In addition, if you type the command Isattr -El procO, the output of the 
command returns the type of processor for your Server. If you have any of the 
following, you have 64-bit hardware: RS64 I, II, III, IV, POWER3, POWER3 II or 
POWER4. 


Note: If the hardware is 32-bit, then you can only have a 32-bit kernel. You cannot 
have a 64-bit kernel. If the hardware is 64-bit, then you can have either a 32 
or 64-bit kernel. Go to 


http:// www.ibm.com/ Support/docview.wss?uid=isglhintsTips0214#4| for 
detailed information. 


Error on AIX 5.1 when running db2start 

The following error might occur when you try to run db2start: 

0509-130 Symbol resolution failed for /usr/1ib/threads/1ibc.a(aio.o) 
because: 

0509-136 Symbol kaio_rdwr (number 0) is not exported from 
dependent module /unix. 

0509-136 Symbol listio (number 1) is not exported from 
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dependent module /unix. 

0509-136 Symbol acancel (number 2) is not exported from 
dependent module /unix. 

0509-136 Symbol iosuspend (number 3) is not exported from 
dependent module /unix. 

0509-136 Symbol aio_nwait (number 4) is not exported from 
dependent module /unix. 

0509-192 Examine .loader section Symbols with the 
'dump -Tv 1 command. 

If this occurs on AIX 5.1, you have asynchronous I/O turned off. 

To tum on asynchronous I/O: 

1. Run smitty chgaio and set STATE to be configured at System restart from 
defined to available. 

2. Press Enter. 

3. Do one of the following: 

• Restart your System. 

• Run smitty aio and move the Cursor to Configure defined Asynchronous 
I/O. Then press Enter. 

The db2start command now works. 

Error when starting the embedded Version of WebSphere 
Application Server - Express on AIX 

Starting the embedded version of WebSphere Application Server - Express on AIX 
(startServer.sh serverl) might not work because port 9090 is already being used. 
See the installpath/ logs/serverl directory for the actual log files. Usually the 
SystemErr.log and SystemOut.log files are the most helpful, although the other logs 
might have some useful information. 

To change the port number for the embedded version of WebSphere Application 
Server - Express from 9090 to an unused port (for example, 9091) which is the port 
used on AIX machines. Edit the 

msfa/Zpaffr/config/cells/DefaultNode/virtualhosts.xml file and change 9090 to 9091. 
Make the same change in the 

instalIpath/c onfig/cel1s/DefaultNode/nodes/DefaultNode/servers/server1/server.xml 

file. 

Notes: 

1. This path does have two subdirectories called DefaultNode. 

2. installpath is the directory where the embedded version of WebSphere 
Application Server - Express is installed. 


Migration 

Düring migration, the following log files might be created. 

On UNIX platforms: 

Errors that occurred during Schema migration are logged in the 
/tmp /migrate.errors file. 

Detailed messages concerning Schema migration are logged in the 
/tmp / migrate52.log file. 
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On Windows platforms: 

The migration process uses the following log files: 

Errors that occur during Schema migration are logged in the install 
directory\ tmp \ m i gra te.errors file. 

Detailed messages received during Schema migration are logged in the 
install directory\ tmp\migrate52.log file. 

Standard out from execution of migrate52.bat is in the install 
dhecfory\tmp\migrate52StdOut.log file. 

Standard error from execution of migrate52.bat is in the install 
directory\ tmp \migrate52StdErr.log file. 

Other log files are: 

• Documents and settings\wserid\locaI settings\temp\ldapaddcfg.log 

• Documents and settings\userid\locaI settings\temp\ldapaddmaster.log 

• Documents and settings \ »send \ local settings\temp\ldaprmdbcfg.log 

• Documents and settings \ »send \ local settings\temp\ldaprmchlog.log 

• Documents and sett i n gs \ userid \ I oca I 
settings \ temp \ ldapaddibmldapver. log 

• Documents and settings \nserid\ local settings\temp\ldapaddpeer.log 

• Documents and settings \nserid\ local settings\temp\ldapaddreplica.log 


Web browser problems 

The following Information might be helpful if you encounter problems with your 
Web browser. 

Microsoft Internet Explorer 

If you have problems with Microsoft Internet Explorer, try making the following 
changes to the cache setup: 

• Click Tools —> Internet Options, and select General. Then click Settings. 
Under Check for newer versions of stored pages, click Every visit to the page. 

• If you are getting unpredictable results using the browser, the cache might be 
storing pages with errors. On the General folder page, click Delete files and 
Clear History to clear the cache. Use these options as often as necessary. 

• Shutting down and restarting the browser can also repair some intermittent 
problems. 
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Appendix A. Database configuration planning 


Before configuring and populating your database, determine: 

What type of data you are going to störe in the directory 

Decide what sort of Schema you need to support the type of data you want 
to keep in your directory. A Standard set of attribute-type definitions and 
object-class definitions is included with the directory Server. Before you 
begin adding entries to the directory, you might want to add new 
attribute-type and object-class definitions that are customized to your data. 


Note: You can make Schema additions after the directory is already 
populated with data, but Schema changes might require you to 
unload and reload your data. 


Which code page you are going to use 

Decide whether to create your database using the local code page or using 
the Universal Character Set (UTF-8). Selecting the local code page enables 
IBM Tivoli Directory Server applications and users to get search results as 
expected for the collation sequence of the native language. Using UTF-8 
enables the storing of any UTF-8 character data in the directory. IBM Tivoli 
Directory Server clients running anywhere in the world (in any UTF-8 
supported language) can access and search the directory. In many cases, 
however, the dient might have limited ability to properly display the 
results retrieved from the directory in a particular la nguage or character 
set. See Appendix H, "UTF-8 support", on page 135 for more information. 


Note: If you want to use language tags, the database must be a UTF-8 
database. 

How you want to structure your directory data 

An IBM Directory is stored in a hierarchical tree structure. The names of 
entries in the directory are based on their relative position within the tree 
structure. It is important to define some logical Organization to the 
directory. A logical Organization makes it easier for clients to determine 
which branch of the tree contains the information they are trying to locate. 
If you are storing data about the people in an Organization, it is easy to 
map the structure of the Organization onto the structure of the directory. If 
you are storing descriptions of applications, machine configuration data, or 
customer data, it might take more planning to decide how to structure 
your directory. 

Your data security requirements 

See the Secure Sockets Layer information in the IBM Tivoli Directory Server 
Version 5.2 Administration Guide for information about how your data is 
secured. 

How you want to allocate access permissions 

See the access control lists information in the IBM Tivoli Directory Server 
Version 5.2 Administration Guide for information about using access 
permissions. 
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Appendix B. Support for additional locales on UNIX platforms 


On some UNIX Systems, depending on your locale settings, Server messages might 
be generated in English, rather than in the language associated with the locale. For 
example, if your locale is set to de_DE, German messages are displayed. However, 
if your locale is set to de_CH, English messages are displayed. 

If this occurs, you can create symbolic links to select a language for messages on 
AIX, Linux, or HP-UX. 

For example, on AIX or Linux, to select German messages for a locale in 
Switzerland, (de_CH), create links by typing the following at a command prompt: 
cd /usr/lib/nls/msg 

ln -sf de_DE/diradm.cat de_CH/diradm.cat 
ln -sf de_DE/ldapc.cat de_Ch/ldapc.cat 
ln -sf de_DE/ldapcp.cat de_Ch/ldapcp.cat 
ln -sf de_DE/ldapprod.cat de_Ch/ldapprod.cat 
ln -sf de_DE/ldaputi1.cat de_Ch/ldaputi1.cat 
ln -sf de_DE/ldcf.cat de_Ch/ldcf.cat 
ln -sf de_DE/rdbm.cat de_Ch/rdbm.cat 
ln -sf de_DE/slapd.cat de_Ch/slapd.cat 
ln -sf de_DE/webuti1.cat de_Ch/webuti1.cat 

On HP-UX, for example, to enable the Spanish translation for a locale in Mexico, 
(es_MX), create links by typing the following at a command prompt: 
cd /usr/lib/nls/msg 

ln -sf es_ES.iso88591/diradm.cat es_MX.iso88591/diradm.cat 
ln -sf es_ES.iso88591/ldapc.cat es_MX.iso88591/ldapc.cat 
ln -sf es_ES.iso88591/ldapcp.cat es_MX.iso88591/ldapcp.cat 
ln -sf es_ES.iso88591/ldapprod.cat es_MX.iso88591/ldapprod.cat 
ln -sf es_ES.iso88591/ldaputi 1 .cat es_MX.iso88591/l daputi 1.cat 
ln -sf es_ES.iso88591/ldcf.cat es_MX.iso88591/ldcf.cat 
ln -sf es_ES.iso88591/rdbm.cat es_MX.iso88591/rdbm.cat 
ln -sf es_ES.iso88591/slapd.cat es_MX.iso88591/slapd.cat 
ln -sf es ES.iso88591/webutil.cat es MX.iso88591/webuti1.cat 
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Appendix C. Migrating replication Servers 


Use the information in this section before migration if you have replication Servers 
in your Installation. 

If you are migrating from IBM Directory Server 5.1, no migration is required for 
replication. 

When you install an IBM Tivoli Directory Server 5.2 Server over an existing IBM 
Directory Server 4.1 Server, the Server Updates the cn=Master Server entry in the 
ibmslapd.conf file. Auxiliary dass ibm-slapdPendingMigration is added to the 
cn=Master Server entry to indicate that replication migration should be done 
during the initial startup of the Server. On some platforms the ibmslapd.conf file is 
updated when migration scripts are run. These migration scripts must be run after 
installation, but before the initial start of the Server following Installation. 

The following example shows the cn=Master Server entry in the ibmslapd.conf file; 
the information in bold type is added during migration. (For Windows, migration 
occurs during Installation.) 

dn: cn=Master Server, cn=configuration 
objectclass: top 

objectclass: ibm-slapdReplication 
objectclass: ibm-slapdConfigEntry 

objectclass: ibm-slapdPendingMigration 
ibm-slapdMigrationlnfo: 4.1 REPLICA 

cn: Master Server 
ibm-slapdMasterDN: cn=master 
ibm-slapdMasterPW: masterpass2 

ibm-slapdMasterReferral: ldap://mymaster. mycompany.com 

The value of the ibm-slapdMigrationlnfo attribute indicates what type of Server is 
being migrated. The following are valid values for this attribute: 

4.1 REPLICA 

Read-only replica 

4.1 MASTER 

Read-write master 

4.1 PEER 

Read-write peer replica 

If your Server configuration file did not contain an entry for cn=MasterServer, the 
migration process adds the following: 

dn: cn=Master Server, cn=configuration 
objectclass: top 

objectclass: ibm-slapdReplication 
objectclass: ibm-slapdConfigEntry 
objectclass: ibm-slapdPendingMigration 
ibm-slapdMigrationlnfo: 4.1 MASTER 

Replication migration is a one-time Operation and occurs only during the initial 
start of the Server, and only when the ibm-slapdPendingMigration auxiliary dass 
is configured for the cn=Master Server entry. It is possible to restore a 4.1 version 
of the database and manually add the ibm-slapdPendingMigration dass to the 
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cn=Master Server entry to migrate replication-related information separately. All 
replication topology configuration and all unfinished replication activity will be 
migrated in the following ways: 

• If this is a read-only replica Server, then an ibm-replicationContext, 
ibm-replicaGroup, and ibm-replicaSubentry will be created for each suffix 
configured for the Server except for the CN=SCHEMA, CN=LOCALHOST, and 
CN=PWDPOLICY suffixes. 

• If this is a peer or master Server, then an ibm-replicationContext, 
ibm-replicaGroup, and ibm-replicaSubentry will be created only if replicaObject 
entries exist under the cn=localhost subtree. 

• For peer and master Servers, all replicaObject entries under the cn=localhost 
subtree will be migrated to ibm-replicationAgreement, and ibm- 
replicationCredentials directory entries. 

• For master and peer Servers with replicaObject entries, convert currently 
outstanding replication data and Status in the CHANGE and PROGRESS tables 
to the newly defined IBM Tivoli Directory Server 5.1 REPLCHANGE, 
REPLSTATUS, and REPLCSTAT tables. 

• When replication is successfully completed, the ibm-slapdPendingMigration 
auxiliary dass will be removed from the cn=Master Server entry in the 
ibmslapd.conf file, and the obsolete CHANGE and PROGRESS tables will be 
deleted from the database. 

After running any migration Scripts, which are required for some platforms, the 
first startup of IBM Tivoli Directory Server 5.2 automatically handles all replication 
topology and data migration for a master or peer Server. However, it is always a 
good idea to make a backup of your directory data to prevent data loss in case of 
an unforeseen failure. 

Note: After migration, if you notice discrepancies between the previous replication 
topology and the newly migrated topology, use the ldapdiff tool to fix the 
problem. See the IBM Tivoli Directory Server Version 5.2 Administration Guide 
for information about using ldapdiff. 
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Appendix D. Installing, configuring, and uninstalling the 
embedded Version of WebSphere Application Server - 
Express 


To use the Web Administration Tool, an application Server is required. The 
embedded version of WebSphere Application Server - Express, v5.0.2 is provided 
with IBM Tivoli Directory Server 5.2 as an application Server. 

If you use the InstallShield GUI to install the Web Administration Tool, you can 
select the embedded version of WebSphere Application Server - Express for 
installation. In this case, configuration is also done automatically. 

If you use native installation methods, you can install and configure the embedded 
version of WebSphere Application Server - Express manually. If you already have 
the embedded version of WebSphere Application Server - Express v 5.0.2 installed, 
you must configure manually betöre you can use the Web Administration Tool. 


Manually installing and configuring the embedded version of 
WebSphere Application Server - Express 

Installing the embedded version of WebSphere Application 
Server - Express 

To manually install the embedded version of WebSphere Application Server - 
Express, use the following procedure: 

1. After you download and unzip (or untar) the IBM Tivoli Directory Server zip 
or tar file, change directories to the directory where you expanded the file. 

2. Type the following command at a command prompt: 

• Qn Windows platforms: 

install .bat -installRoot installpath\appsr\i -hostName localhost 

• On UNIX platforms: 

install.sh -installRoot installpath/ appsrv -hostName localhost 
where 

• installpath is the directory where you unzipped or untarred the file. 

• appsrv is the subdirectory where you are installing the embedded version of 
WebSphere Application Server - Express. By Convention, appsrv is the 
directory used, though you can change this subdirectory if necessary. 

After installing the Web Administration Tool, copy the Web Administration Tool 
to the embedded version of WebSphere Application Server - Express directory 
by using the following commands: 
mkdir installpath /appsrv/instal1ableApps/ 

cp instalIpath/ idstools/IDSWebApp.war instal ZpatA/appsrv/instal1ableApps/ 

Installing the Web Administration Tool into the embedded 
version of WebSphere Application Server - Express 

Install the Web Administration Tool into the embedded version of WebSphere 
Application Server - Express by using the following command: 
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• On Windows Systems: 

"instaZZpatZAappsrv\bin\wsadmin.bat" -conntype NONE -c "$AdminApp 
instal 1 {instal ZpotZ)\appsrv\i nstal lableApps\IDSWebApp.war} 

{-configroot Vinstal Zpat/Aappsrv/configV 

-node DefaultNode -usedefaultbindings -nodeployejb -appname IDSWebApp.war 
-contextroot \"IDSWebApp\"}" 

Note: Type the command on one line. 

• On UNIX Systems: 

instaZZpafti/appsrv/bin/wsadmin.sh -conntype NONE -c "\$AdminApp 
instal 1 {instal ZpatZ)/appsrv/i nstal lableApps/IDSWebApp.war} 

{-configroot Vinstal Zpaf/)/appsrv/config\" 

-node DefaultNode -usedefaultbindings -nodeployejb -appname IDSWebApp.war 
-contextroot V'IDSWebAppV 1 }" 


Notes: 

1. If you install the Web Administration Tool and the embedded Version of 
WebSphere Application Server - Express through the InstallShield GUI, these 
commands are run automatically. 

2. If you plan to use the Web Administration Tool in a non-English langu age, see 
"Corruption of data entered in Web Administration Tool" on page 111 


Uninstalling the Web Administration Tool from the embedded Version 
of WebSphere Application Server - Express 


To uninstall the Web Administration Tool from the embedded version of 
WebSphere Application Server - Express manually: 


1 . 

2 . 


Be sure that the application Server is started. See {{Starting the application 


Server to use the Web Administration Tool" on page 97 for instructions. 

Type the following at a command prompt to uninstall the Web Administration 
Tool: 


• On Windows platforms: 

WZISPaflAbin\wsadmin.bat -conntype NONE -c "$AdminApp uninstall IDSWebApp.war" 

• On UNIX platforms: 

W/ISPaft)/bin/wsadmin.sh -conntype NONE -c "\$AdminApp uninstall IDSWebApp.war" 


where WASPath is the path where you installed the embedded version of 
WebSphere Application Server - Express. 


Default ports for the embedded version of WebSphere Application 
Server - Express 

The embedded version of WebSphere Application Server - Express uses four 
default port settings: 

• Http Transport (port 1): 9080 

• Http Transport (port 2): 9443 

• Bootstrap/rmi port: 2809 

• Soap connector port: 8880 

If a conflict exists with another application using one or more of these default 
ports, you can use a text editor to change from the default ports to unused ports. 
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Http Transport port 1 

Find the line containing the port number 9080 in the following files and 
replace the 9080 with the port number that you want: 

$WASEfOME\config\cells\DefaultNode\nodes\DefaultNode\servers\ 
Server 1 \ Server, xml 

$WASHOME \ conf ig \ cells \ DefaultNodeX virtualhosts .xml 

where WASHOME is the directory where the embedded version of 
WebSphere Application Server - Express is installed. 

Http Transport port 2 

Find the line containing the port number 9443 in the following files and 
replace the 9443 with the port number that you want: 

$W4SEfOME\config\cells\DefaultNode\nodes\DefaultNode\servers\ 
serverl \ Server, xml 

$WASHOME \ conf ig \ cells \ DefaultNodeX virtualhosts .xml 

where WASHOME is the directory where the embedded version of 
WebSphere Application Server - Express is installed. 

Bootstrap/rmi port 

Find the line containing the port number 2809 in the following file and 
replace the 2809 with the port number that you want: 

$W/ISW0MF\config\cel 1 s\Defaul tNode\nodes\Defaul tNode\serveri ndex.html 

where WASHOME is the directory where the embedded version of 
WebSphere Application Server - Express is installed. 

Soap connector port 

Find the line containing the port number 8880 in the following file and 
replace the 8880 with the port number that you want: 

$W/ISW0MF\config\cel 1 s\Defaul tNode\nodes\Defaul tNode\serveri ndex.html 

where WASHOME is the directory where the embedded version of 
WebSphere Application Server - Express is installed. 


Using HTTPS for the embedded version of WebSphere Application 
Server - Express Version V5.0.2 

The embedded version of WebSphere Application Server - Express, V5.0.2 comes 
with HTTPS set up by default on port 9443. To use HTTPS, you must change your 
login URL to the following: 

https:// <EosbMJ«e>:9443/IDSWebApp/IDSjsp/Login.jsp 
For non-HTTPS connections, continue to use the URL: 
http: / / <hos tname >:9080 / IDSWeb App / IDSjsp / Login.jsp 

Additionally, if you want to change the application server's SSL certificate, you can 
create new key and trust störe database files for the embedded version of 
WebSphere Application Server - Express to use. By default, the key and trust störe 
database files are separate and are located in the <WASHOME >/etc directory. 

These files are named DummyServerKeyFile.jks and DummyServerTrustFile.jks 
respectively. 
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After you have created your new jks files, you can change the key and trust störe 
database files that WAS uses by modifying the following items (highlighted in 
bold) in the <WA SHOME> / con fi g/cel I s/ Defa u I tNod e/secu ri ty. x m I file to use your 
new file names, passwords, and file formats: 

<repertoi re xmi:id="SSLConfig_l" alias="Defau 1tSSLSettings"> 

<setting xmi: id="DefaultSSLSettings" 

key Fi 1 eName="${USER_INSTALL_R00T]7etc/DumniyServerKey File, jks" 

keyFi1ePassword="WebAS" keyFi 1 eFormat="JKS" 

trustFi 1 eName="${USER_INSTALL_R00T}7etc/DummyServerTrustFile.jks" 

trustFi1ePassword="WebAS" trustFi 1 eFormat="JKS" 
clientAuthentication="false" securityLevel="HIGH" 
enableCryptoHardwareSupport="fal se"> 

<cryptoHardware xmi:id="CryptoHardwareToken_l" tokenType="" 
libraryFile="" password=""/> 

<properties xmi:id="Property_4" name="com.ibm.ssl.protocol" value="SSLv3"/> 
<properties xmi:id="Property_5" name="com.ibm.ssl.contextProvider" 
value="IBMJSSE"/> 

</setting> 

</repertoire> 
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Appendix E. Installing the Web Administration Tool into 
WebSphere 


IBM Tivoli Directory Server 5.2 provides the embedded version of WebSphere 
Application Server - Express version 5.0.2 as an application Server for the Web 
Administration Tool. However, you can also use WebSphere version 5.0 or higher 
as an application Server for the Web Administration Tool. If you use WebSphere, 
you must install the Web Administration Tool into WebSphere. Use the following 
instructions as a guide: 

1. Install WebSphere, using the Installation information provided with it. 

2. Install the Web Administration Tool using either the InstallShield GUI or the 
installation utility for your operating System. The file containing the Web 
Administration Tool is named IDS Web App .war, and it is in the idstools 
subdirectory of the installation directory you specified during installation. 

3. Install the Web Administration Tool application into WebSphere, using the 
information provided with WebSphere. For example, if you use the 
Administrative Console, on the Install New Application window, set the Local 
path to installdirectory /idstools/IDSVVebApp.vvar, and the Context root to 
/IDSWebApp. 

installdirectory is the directory you specified when installing the Web 
Administration Tool. 

4. Start the Web Administration Tool (for example, through the Administrative 
Console). 

5. From a Web browser, type the following address: 
http://Iocalhost:9080/IDSWebApp/IDSjsp/Login.jsp 

The IBM Tivoli Directory Server Web Administration login page window is 
displayed. 

Note: This address works only if you are running the browser on the Computer 
on which the Web Administration Tool is installed. If the Web 
Administration Tool is installed on a different Computer, replace 
1 ocal host with the hostname or IP address of the Computer where the 
Web Administration Tool is installed. 


Note: If you plan to use the Web Administration Tool in a non-English language . 


see 


'Corruption of data entered in Web Administration Tool" on page 111 
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Appendix F. Installing and configuring DSML 


Directory Services Markup Language (DSML) is installed as a .zip file named 
DSML.zip in the installpath /idstools (or installpath \idstools for Windows Systems) 
directory when you install the Web Administration Tool. After you unzip the 
DSML.zip file, documentation files are available that teil you how to install, 
configure, and use DSML. These files are: 

DSMLReadme.txt 

Describes the files in the package and teils you how to install and 
configure DSML. 

dsml.pdf 

Describes how to use DSML. This file is in PDF format. 

dsml.htm 

Describes how to use DSML, in HTML format. 
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Appendix G. Loading a sample database 


Use the following procedure to load a sample database. 

1. In the Configuration Tool, click Manage suffixes in the task list on the left. 

2. In the Manage suffixes window, in the SuffixDN field, type o=ibm,c=us. This is 
the suffix DN that will hold the sample data. Because the sample data is part of 
the suffix o=ibm,c=us, this is the suffix DN you must add. 

3. Click Add. 

4. Click OK. 

Note: When you click Add, the suffix is added to the list in the Current suffix 
DNs box; however, the suffix is not actually added until you click OK. 

5. In the Configuration Tool, click Import LDIF data in the task list on the left. 

6. In the Import LDIF data window on the right, in the Path and LDIF file name 
field, type one of the following: 

• ins£aZZ_ahr\examples\sample.ldif on Windows Systems 

• instaZZ_ahr/examples/sample.ldif on UNIX Systems 

Altematively, you can click Browse to locate the file. install_dir is the directory 
where you installed IBM Tivoli Directory Server. 

7. Click Standard import. 

8. Click Import. 

Note: As an alternative, you can use: 

• The ldapcfg command to add the suffix: ldapcfg -s "o=ibm,c=us" 

• The ldif2db utility to import the data. For example, ldif2db -i 
instal Z_dir\examples\sample.1 dif 

9. After processing is complete, go to a command prompt and type i bmsl apd to 
start the Server. 

Messages are displayed while the Server is starting. The following message is 
displayed if the Server starts successfully: 

IBM Tivoli Directory, Version 5.2 Server started. 


You have verified that the sample database is loaded correctly and that the 
installation is successful. 


Use the instructions in "Starting the Web Administration Tool" on page 97 to start 
the Web Administration Tool if you installed it. See the IBM Tivoli Directory Server 
Version 5.2 Administration Guide for Information about using the Web 
Administration Tool and using the Server. 
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Appendix H. UTF-8 Support 

IBM Tivoli Directory Server Supports a wide variety of national language 
characters through the UTF-8 (UCS Transformation Format) character set. As 
specified for the LDAP Version 3 protocol, all character data that is passed between 
an LDAP dient and a Server is in UTF-8. Consequently, the directory Server can be 
configured to störe any national language characters that can be represented in 
UTF-8. The limitations on what types of characters can be stored and searched for 
are determined by how the database is created. The database character set can be 
specified as UTF-8 or it can be set to use the Server system's local character set 
(based on the locale, language, and code page environment). 

If you specify UTF-8, you can störe any UTF-8 character data in the directory. 
LDAP clients running anywhere in the world (in any UTF-8 supported language) 
can access and search the directory. In many cases, however, the dient has limited 
ability to properly display the results retrieved from the directory in a particular 
language/character set. There is also a performance advantage to using a UTF-8 
database because no data conversion is required when storing data to or retrieving 
data from the database. 

Note: If you want to use language tags, the database must be a UTF-8 database. 


Why choose anything other than UTF-8? 

A UTF-8 database has a fixed collation sequence. That sequence is the binary order 
of the UTF-8 characters. It is not possible to do language-sensitive collation with a 
UTF-8 database. 

If it is important to your LDAP applications or users to get results for a search 
using an ordering filter (for example, "name >= SMITH") or any search specifying 
the control to sort the results as they would expect for their native language, then 
UTF-8 might not be the appropriate character set for their directory database. In 
that instance, the LDAP Server System and all dient Systems should run using the 
same character set and locale. For example, an LDAP Server running in a Spanish 
locale with a database created using that locale returns results of searches based on 
character ordering, as Spanish-language clients would expect. This configuration 
does limit your directory user community to a single end-user character set and 
collation sequence. 


Server Utilities 


Manual creation of an LDIF file containing UTF-8 values is difficult. To simplify 
this process, a charset extension to the LDIF format is supported. This extension 
allows an Internet Assigned Numbers Authority (IANA) character set name to be 
specified in the header of the LDIF file (along with the version number). A limited 
set of the IANA character sets are supported. 

Examples 

You can use the optional charset tag so that the Server Utilities automatically 
convert from the specified character set to UTF-8 as in the following example: 
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version: 1 
charset: ISO-8859-1 

dn: cn=Juan Griego, o=University of New Mexico, c=US 
cn: Juan Griego 
sn: Griego 

description:: V2hhdCBhIGNhcmVmdWwgcmVhZGVyIHl vd 
title: Associate Dean 
title: [title in Spanish] 

jpegPhoto:< file:///usr/local/photos/jgriego.jpg 

In this instance, all values following an attribute name and a single colon are 
translated from the ISO-8859-1 character set to UTF-8. Values following an attribute 
name and a double colon (such as description:: V2hhdCBhIGNhcm... ) should be 
base 64-encoded, and are expected to be either binary or UTF-8 character strings. 
Values read from a file, such as the jpegPhoto attribute specified by the URL in the 
example above, are also expected to be either binary or UTF-8. No translation from 
the specified "charset" to UTF-8 is done on those values. 

In this example of an LDIF file without the charset tag, content is expected to be in 
UTF-8: 

# IBM IBM Directorysample LDIF file 

# 

# The suffix "o=IBM, c=US" should be defined before attempting to load 

# this data. 

version: 1 

dn: o=IBM, c=US 
objectclass: top 
objectclass: Organization 
o: IBM 

dn: ou=Austin, o=IBM, c=US 
ou: Austin 

objectclass: organizationalUnit 

seealso: cn=Mary Smith, ou=Austin, o=IBM, c=US 

This same file could be used without the version: 1 header information, as in 
previous releases of IBM Tivoli Directory Server: 

# IBM IBM Directorysample LDIF file 

# 

#The suffix "o=IBM, c=US" should be defined before attempting to load 
#this data. 

dn: o=IBM, c=US 
objectclass: top 
objectclass: Organization 
o: IBM 

dn: ou=Austin, o=IBM, c=US 
ou: Austin 

objectclass: organizationalUnit 

seealso: cn=Linda Carlesberg, ou=Austin, o=IBM, c=US 


Supported IANA character sets 

IBM Tivoli Directory Server supports the Internet Assigned Number Authority 
(IANA) character set names by platform, as shown in the following fable. These 
are the character set names that can be specified in an LDIF file or using the 
C-client interface to identify the character set of input data to be used with the 
directory. 
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Table 4. Supported IANA character sets by platform 


Character 

Locale 

DB2 Code Page 

Set Name 

Linux, 

Linux for 

S/390®, 

HP-UX 

NT 

AIX 

Solaris 

UNIX 

NT 

ISO-8859-1 

X 

X 

X 

X 

819 

1252 

ISO-8859-2 

X 

X 

X 

X 

912 

1250 

ISO-8859-5 

X 

X 

X 

X 

915 

1251 

ISO-8859-6 

X 

X 

X 

n/a 

1089 

1256 

ISO-8859-7 

X 

X 

X 

n/a 

813 

1253 

ISO-8859-8 

X 

X 

X 

n/a 

916 

1255 

ISO-8859-9 

X 

X 

X 

n/a 

920 

1254 

IBM437 

n/a 

X 

n/a 

n/a 

437 

437 

IBM850 

n/a 

X 

X 

n/a 

850 

850 

IBM852 

n/a 

X 

n/a 

n/a 

852 

852 

IBM857 

n/a 

X 

n/a 

n/a 

857 

857 

IBM862 

n/a 

X 

n/a 

n/a 

862 

862 

IBM864 

n/a 

X 

n/a 

n/a 

864 

864 

IBM866 

n/a 

X 

n/a 

n/a 

866 

866 

IBM869 

n/a 

X 

n/a 

n/a 

869 

869 

TIS-620 

n/a 

X 

X 

n/a 

874 

874 

EUC-JP 

X 

n/a 

X 

X 

954 

n/a 

EUC-KR 

n/a 

n/a 

X 

X 

970 

n/a 

EUC-CN 

n/a 

n/a 

X 

X 

1383 

n/a 

EUC-TW 

n/a 

n/a 

X 

X 

964 

n/a 

Shift-JIS 

X 

X 

X 

X 

932 

943 

KSC 

n/a 

X 

n/a 

n/a 

n/a 

949 

GBK 

n/a 

X 

X 

n/a 

1386 

1386 

Big5 

n/a 

X 

X 

X 

950 

950 
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Appendix I. Setting up GSKit to Support CMS key databases 


To set up GSKit to support Conversational Monitor System (CMS) key databases, 
complete the following procedure betöre starting the iKeyman GUI: 

1. Be sure that you have installed GSKit 7a. 

2. Install the IBM JRE or JDK 1.4.1 or an equivalent JRE or JDK. 

3. Set JAVA_HOME to point to the directory where Java 1.4.1 was installed. For 
example: 

• Qn Windows, set JAVA_HOME=c:\Program Files\IBM\Javal4. 

• On AIX, export JAVA_HOME=/usr/ldap/java. 

4. On AIX, create a link from /usr/ldap/jre to /usr/ldap/java by typing the 
following at a command prompt: 

ln -s /usr/ldap/java /usr/ldap/jre 

5. Remove the ibmjsse.jar, gskikm.jar (if it exists) and ibmjcaprovider.jar files from 
your JAVA_HOME\jre\lib\ext directory on Windows. This directory is 
JAVA_HOME/lib/ext (/usr/ldap/java/lib/ext) on AIX. 

6. Be sure that the JAVA_HOME\jre\ (/usr/ldap/java/ on AIX) directory has the 
following JAR files: 

• lib/ext/ibmjceprovider.jar 

• lib/ext/ibmpkcs.jar 

• lib / ibmjcefw.jar 

• lib/ext/ibmjcefips.jar (optional to support FIPS) 

• lib/security/local_policy.jar 

• lib /security / US_export_policy.jar 

• lib/ibmpkcsll.jar 

On Solaris, JDK 1.4 requires the user to have jurisdiction policy files. Due to the 
import restrictions for some countries, the jurisdiction policy files distributed 
with the J2SDK Version 1.4.1 Software have built-in restrictions on the available 
cryptographic strength. The Solaris installation requires jurisdiction policy files 
that contain no restrictions on cryptographic strength. 

For more information about jurisdiction policy files, see the following Web site: 

http: / /java. sun.com / products /jce / index-14.html 

To download, go to the following Web site: 

http://java.sun.com/j2se/1.4/download ,html#docs 

Note: GSKit has provided the jar files shown and ibmpkcsll.jar under 

GSKit_instaUation_pnth\classes\]re\lib\ext for your convenience. It is up 
to each individual product to decide whether to ship these JSSE jar files 
in the product. The following are the GSKit recommendations: 

• A product should ship whatever JSSE jar files it used for System 
testing with the product. 

• If your existing Java installation's JSSE jar files are later than those 
required by GSKit, no action is required. 
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• If your existing Java installation's JSSE jar files are older than those 
required by GSKit, your should replace your old JSSE jar files with the 
GSKit jar files. GSKit iKeyman will work with the old JSSE jar files. 
However, some iKeyman functions might fail due to known bug fixes 
that are not included in your JDI< Installation. 

7. GSKit users must register both IBM CMS and IBM JCE Service providers as 
follows: 

Update the JAVA_HOME/jre/lib/security/java.security file to add both IBM 
CMS and IBM JCE providers after the Sun provider. For example: 

security.provider.l=sun.security.provider.Sun 
security.provider.2=com.ibm.spi.IBMCMSProvider 
security.provider.3=com.ibm.crypto.provider.IBMJCE 

A sample java.security file can be found in 
GSKit_Installation_path\dasses\gsk_)ava.secunty. 

To enable FIPS Operation, update the 

JAVA_HOME/jre/lib/security/java.security file to add IBMCMS, IBMJCE, and 
IBMJCEFIPS providers after the Sun provider. Be sure that the IBMJCEFIPS 
provider was registered at a higher priority than IBMJCE. For example: 

security.provider.l=sun.security.provider.Sun 
security.provider.2=com.ibm.spi.IBMCMSProvider 
security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS 
security.provider.4=com.ibm.crypto.provi der.IBMJCE 

8. This step is optional. If you are a JSSE user and use JSSE to access 
cryptographic hardware, install the ibmpkcsll.jar file in the 
JAVA_HOME\jre\lib\ext directory and follow the instructions in 
GSKit_InstnUation_pnth/dasses/native/native-support.zip to set up the 
cryptographic hardware DLLs. 

Note: You could also find the ibmpkcsll.jar file in the JSSE package released 
after August 5, 2002. To register an IBMPKCS11 service provider, the 
following example Updates the 
JAVA_HOME /jre/lib / security/java.security file: 

security.provider.l=sun.security.provi der.Sun 

security.provider.2=com.ibm.crypto.provider.IBMJCE 

security.provider.3=com.ibm.crypto.pkcs11.provider.IBMPKCS11 
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Appendix J. Configuring the database in a location other than 
/home when /home is an NFS mount 

On UNIX Systems, if you use NFS automount, you must configure everything 
manually to create the database in a location other than /home. Performing 
manual configuration in this Situation also avoids the problem of the ldapcfg 
command trying to write to /home. 

Notes: 

1. The following steps assume that you want to set up a database where the 
instance owner is ldapdb2, DB2 instance is ldapdb2, and database name is 
ldapdb2. 

2. It is strongly recommended to save a copy of any System file before editing it. 

1. Create a group named dbsysadm for the database administrators: 
groupadd [-g <gid>] dbsysadm 

Note: The groupadd command on some Linux distributions requires that the 
group ID number (gid) be specified using the -g <gid> syntax. Type 
cat /etc/group 

to find an available group ID number. Red Hat automatically assigns 
the next available gid if the -g Option is not specified. 

2. Add users root and ldap to the dbsysadm group: 

usermod -G dbsysadm root 
usermod -G dbsysadm ldap 

3. Create a user account (ldapdb2) for the DB2 instance: 
useradd -g dbsysadm -m ldapdb2 

4. Set the password for the user account (ldapdb2): 
passwd 1dapdb2 

Enter the new password when prompted. Record your password for future 
reference. 

5. Create the database instance: 

<LD4PW0MF>/db2/instance/db2icrt -u ldapdb2 ldapdb2 

where <LDAPHOME> is: 

• AIX, Linux operating Systems- /usr/ldap 

• Solaris operating Systems - /opt/IBMldaps 

• HP-UX operating Systems- /usr/IBMldap 

6. Log in as the database user ID: 
su - ldapdb2 

7. Start the database manager: 
db2start 

8. Create the database under the instance: 

db2 create db ldapdb2 on <location> using codeset UTF-8 territory US 

Note: If you omit the using codeset UTF-8 territory US the database is 

created in the local code page. However, using the local code page does 
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affect performance. The database requires at least 80Mb of free space 
available on the filesystem. Use df -k to verify this before creating the 
database. 

9. Enable multi-page file allocation: 
db2empfa ldapdb2 

Note: This is a performance enhancement, and cannot be undone after being 
run. 

10. Update some of the DB2 tuning variables: 

db2 update db cfg for <databasename> using <parm> <newvalue> 

DB2 Parameter Minimum value allowed 
APPLHEAPSZ 2048 
PCKCACHESZ 360 
SORTHEAP 256 


For example: 

db2 update db cfg for ldapdb2 using APPLHEAPSZ 1280 

11. The database is fully configured; you can update the configuration file to use 
this database. In <LD/\PHOME>etc/ibmslapd.conf, in the following stanza: 

dn: cn=Directory,cn=RDBM Backends,cn=IBM SecureWay,cn=Schemas,cn=Configuration 
objectclass: top 

objectclass: ibm-slapdRdbmBackend 
cn: Directory 

ibm-slapdPlugin: database /bin/1ibback-rdbm.dl1 rdbm_backend_init 
ibm-slapdDbConnections: 15 
ibm-slapdSuffix: cn=localhost 
ibm-slapdReadOnly: FALSE 

Add the following lines: 

ibm-slapdDblnstance: ldapdb2 
ibm-slapdDbAlias: ldapdb2b 
ibm-slapdDbUserld: ldapdb2 
ibm-slapdDbUserPw: <user pw> 
ibm-slapdDbLocation: <user defined location> 


12 . 


The resulting stanza is: 


dn: cn=Directory,cn=RDBM Backends,cn=IBM SecureWay,cn=Schemas,cn=Configuration 
objectclass: top 

objectclass: ibm-slapdRdbmBackend 
cn: Directory 

ibm-slapdPlugin: database /bin/1ibback-rdbm.dl 1 rdbm_backend_init 

ibm-slapdDblnstance: ldapdb2 

ibm-slapdDbAlias: ldapdb2b 

ibm-slapdDbüserld: ldapdb2 

ibm-slapdDbUserPw: <user pw> 

ibm-slapdDbLocation: <user defined location> 

ibm-slapdDbConnections: 15 

ibm-slapdSuffix: cn=localhost 

ibm-slapdReadOnly: FALSE 


If you used a UTF-8 datastore as described in step 8 on page 141. in the 
stanza: dn: cn=Front End, cn=Configuration, you must uncomment the line: 


#ibm-slapdSetEnv: DB2CP=1208 


The database is ready for the Directory Server to use. The first startup takes longer 
because the Server must create its own tablespaces and bufferpools. 
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Appendix K. IBM Tivoli Directory Server configuration Schema 


This appendix describes the Directory Information Tree (DIT) and the attributes 
that are used to configure the ibmslapd.conf file. In some previous releases, the 
directory configuration settings were stored in a proprietary format in the 
configuration file. Starting with the Version 3.2 release, the directory settings are 
stored using the LDIF format in the configuration file. 

The configuration file was renamed from slapd32.conf to ibmslapd.conf in the 5.1 
release. The Schema used by the configuration file is also now available. Attribute 
types can be found in the v3.config.at file, and object classes are in the v3.config.oc 
file. Attributes can be modified using the ldapmodify command. See the IBM Tivoli 
Directory Server Version 5.2 Administration Guide for information about the 
ldapmodify command. 


Directory Information Tree 

cn=Configuration 

• cn=Admin 

• cn=AdminGroup 

• cn=Event Notification 

• cn=Front End 

• cn=Kerberos 

• cn=Master Server 

• cn=Referral 

• cn=Schema 

- cn=IBM Directory 


cn=Config Backends 


• 

cn=ConfigDB 


- cn=RDBM Backends 

• 

• 

cn=Directory 


cn=ChangeLo| 

7 

- cn=LDCF Backends 

• 

cn=SchemaDB 



• cn=SSL 


- cn=CRL 


cn=Transaction 

cn=Digest 


cn=admin 

audit 


• cn=Audit 


• cn=Connection Management 

cn=Configuration 

DN cn=Configuration 

Description 

This is the top-level entry in the configuration DIT. It holds data of global 
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interest to the Server, although in practice it also contains miscellaneous 
items. Every attribute in the this entry comes from the first section (global 
stanza) of ibmslapd.conf. 

Number 

1 (required) 

Object dass 

ibm-slapdTop 


Mandatory Attributes 


cn 


ibm-slapdAdminDN 


ibm-slapdAdminPW 

ibm-slapdErrorLog 

ibm-slapdPort 


ibm-slapdPwEncryption 

ibm-slapdSizeLimit 


ibm-slapdSysLogLev 

el 

ibm-slapdTimeLimit 


ibm-slapdDeref Alias 

2S 

objectClass 


Optional Attributes 


ibm-slapdConcurrentRW| (Deprecated) 


ibm-slapdMaxPendingChangesDisplayed 

ibm-slapdServerld 



ibm-slapdSupportedWebAdm Version 



ibm-slapdVersion 


ibm-slapdAdminGroupEnabled 


ibm-slapdStartupTraceEnabled 


ibm-slapdTraceMessageLog 


ibm-slapdTraceMessageLevel 


cn=Admin 

DN cn=Admin, cn=Configuration 

Description 

Global configuration settings for IBM Admin Daemon 

Number 

1 (required) 

Object dass 

ibm-slapdAdmin 

Mandatory Attributes 

• cn 

• ibm-slapdErrorLog 

• ibm-slapdPort 

Optional Attributes 

• ibm-slapdSecurePort 
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cn=AdminGroup 

DN cn=<id>, cn=AdminGroup, cn=Configuration 

Description 

A user belonging to the Administration Group. Must be an entry under the 
cn=AdminGroup, cn=Configuration subtree. 

Number 

0 (optional) Needed only if you want administrative group members. 

Object Class 

ibm-slapdAdminGroupMember 

Mandatory Attributes 

• ibm-slapdAdminDN 

• ibm-slapdAdminPW 

Optional Attributes 

• ibm-slapdKrbAdminDN 

• |ibm-slapdPigestAdminUser 


cn=Event Notification 


PN cn=Event Notification, cn=Configuration 


Pescription 

Global event notification settings for IBM Tivoli Pirectory Server 5.1 

Number 

0 or 1 (optional; needed only if you want to enable event notification) 

Object Class 

ibm-slapdEventNotification 


Mandatory Attributes 


cn 


ibm-slapdEnableEventNotification 

objectClass 



Optional Attributes 


ibm-slapdMaxEventsPerConnection 


|ibm-slapdMaxEvents Total 


cn=Front End 

PN cn=Front End, cn=Configuration 

Pescription 

Global environment settings that the Server applies at startup. 

Number 

0 or 1 (optional) 

Object Class 

ibm-slapdFrontEnd 

Mandatory Attributes 


• 

cn 


• 

objectClass 
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Optional Attributes 


ibm-slapdACLCache 


ibm-slapdACLCacheSize 


ibm-slapdDB2CF 



ibm-slapdEntryCacheSize 


ibm-slapdFilterCacheBypassLimit 

ibm-slapdFilterCacheSize 


ibm-slapdPlugin 



ibm-slapdSetenv 

ibm-slapdldleTimeOut 


cn=Kerberos 

DN cn=Kerberos, cn=Configuration 

Description 

Global Kerberos authentication settings for IBM Tivoli Directory Server 5.2. 

Number 

0 or 1 (optional) 

Object dass 

ibm-slapdKerberos 

Mandatory Attributes 


cn 


ibm-slapdKrbEnable 


ibm-slapdKrbRealm 

ibm-slapdKrbKeyTat 


ibm-slapdKrbldentityMap 

ibm-slapdKrbAdminDN 


objectClass 


Optional Attributes 

• None 


cn=Master Server 


DN cn=Master Server, cn=Configuration 

Description 

When configuring a replica, this entry holds the bind credentials and 
referral URL of the master Server. 


Number 

0 or 1 (optional) 

Object dass 

ibm-slapdReplication 

Mandatory Attributes 


cn 


ibm-slapdMasterPW (Mandatory if not using Kerberos authentication.) 


objectClass 


Optional Attributes 
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ibm-slapdMasterDN 

(Optional if using Kerberos authentication.) 

ibm-slapdMasterPW 

ibm-slapdMasterReferral 


cn=Referral 

DN cn=Referral, cn=Configuration 

Description 

This entry contains all the referral entries from the first section (global 
stanza) of ibmslapd.conf. If there are no referrals (there are none by 
default), this entry is optional. 

Number 

0 or 1 (optional) 

Object dass 

ibm-slapdReferral 

Mandatory Attributes 


cn 


ibm-slapdReferral 

objectClass 



Optional Attributes 

• None 


cn=Schemas 

DN cn=Schemas, cn=Configuration 

Description 

This entry serves as a Container for the Schemas. This entry is not really 
necessary because the Schemas can be distinguished by the object dass 
ibm-slapdSchema. It is included to improve the readability of the DIT. 

Qnly one Schema entry is currently allowed: cn=IBM Directory. 

Number 

1 (required) 

Object dass 

Container 

Mandatory Attributes 


• 

cn 


• 

objectClass 


Optional Attributes 

• None 

cn=IBM Directory 

DN cn=IBM Directory, cn=Schemas, cn=Configuration 

Description 

This entry contains all the Schema configuration data from the first section 
(global stanza) of ibmslapd.conf. It also serves as a Container for all the 
backends that use the Schema. Multiple Schemas are not supported, but if 
they were, then there would be one ibm-slapdSchema entry per Schema. 


Appendix K. IBM Tivoli Directory Server configuration Schema 147 
































Note that multiple Schemas are assumed to be incompatible. Therefore, a 
backend can be associated with a single Schema only. 

Number 

1 (required) 

Object dass 

ibm-slapdSchema 

Mandatory Attributes 


cn 


ibm-slapdSchemaCheck 

ibm-slapdlncludeSchema 

objectClass 



Optional Attributes 

• ibm-slapdSchemaAdditions 


cn=Config Backends 

DN cn=Config Backends, cn=IBM Directory, cn=Schemas, cn=Configuration 

Description 

This entry serves as a Container for the Config backends. 

Number 

1 (required) 

Object dass 

Container 

Mandatory Attributes 

• cn 

• objectClass 

Optional Attributes 

None 

cn=ConfigDB 

DN cn=ConfigDB, cn=Config Backends, cn=IBM Directory, cn=Schemas, 
cn=Configuration 

Description 

Configuration backend for IBM Tivoli Directory Server Server configuration 

Number 

0 - n (optional) 

Object dass 

ibm-slapdConfigBackend 

Mandatory Attributes 


cn 


ibm-slapdSuffix 

ibm-slapdPlugin 

objectClass 



Optional Attributes 

• ibm-slapdReadOnly 
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cn=RDBM Backends 


DN cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration 

Description 

This entry serves as a Container for the RDBM backends. It effectively 
replaces the database rdbm line from ibmslapd.conf by identifying all 
sub-entries as DB2 backends. This entry is not really necessary because the 
RDBM backends can be distinguished by object dass ibm- 
slapdRdbmBackend. It is included to improve the readability of the DIT. 

Number 

0 or 1 (optional) 

Object dass 

Container 

Mandatory Attributes 

• cn 

• objectClass 

Optional Attributes 

• None 


cn=Directory 

DN cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, 
cn=Configuration 

Description 

This entry contains all the database configuration settings for the default 
RDBM database backend. 

Although multiple backends with arbitrary names can be created, the 
Server Administration assumes that "cn=Directory" is the main directory 
backend, and that "cn=Change Log" is the optional changelog backend. 
Qnly the suffixes displayed in "cn=Directory" are configurable through the 
Server Administration (except for the changelog suffix, which is set 
transparently by enabling changelog). 

Number 

0 - n (optional) 

Object dass 

ibm-slapdRdbmBackend 

Mandatory Attributes 

• cn 

• ibm-slapdDblnstance 

• ibm-slapdDbName 

• ibm-slapdDbUserID 

• ibm-slapdDbUserPW 

• objectClass 
Optional Attributes 


ibm-slapdBulkloadErrors 


ibm-slapdChangeLogMaxEntries 

ibm-slapdChangeLogMaxAge 


ibm-slapdCLIErrors 
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ibm-slapdDB Alias 


ibm-slapdDB2CP 


ibm-slapdDbConnection 

s 

ibm-slapdDbLocatior 

l 

ibm-slapdPagedResAllowNonAdmin 

ibm-slapdPagedResLmt 


ibm-slapdPlugin 



ibm-slapdReadOnly 


ibm-slapdReplDbConns 


ibm-slapdSortKeyLimit 


• ibm-slapdSortSrchAllowNonAdmin 


ibm-slapdSuffix 


ibm-slapdUseProcessIdPw 


ibm-slapdCachedAttribute 



• ibm-slapdCachedAttributeSize 


• ibm-slapdLanguageTagsEnabled 

Note: If you are using ibm-slapdUseProcessIdPw, you must modify the 
Schema to make ibm-slapdDbUserPW optional. 

cn=Change Log 

DN cn=Change Log, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, 
cn=Configuration 

Description 

This entry contains all the database configuration settings for the change 
log backend. 

Number 

0 - n (optional) 

Object Class 

ibm-slapdRdbmBackend 

Mandatory Attributes 

• cn 

• ibm-slapdDblnstance 

• ibm-slapdDbName 

• ibm-slapdDbUserID 

• ibm-slapdDbUserPW 

• objectClass 

Optional Attributes 

• ibm-slapdBulkloadErrors 

• ibm-slapdChangeLogMaxEntries 


• ibm-slapdCLIErrors 


ibm-slapdDB Alias 


ibm-slapdDB2CP 


ibm-slapdDbConnections 

ibm-slapdDbLocation 
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• ibm-slapdPagedResAllowNonAdmin 


ibm-slapdPagedResLmt 


ibm-slapdPlugin 


ibm-slapdReadOnly 

ibm-slapdReplDbConns 


ibm-slapdSortKeyLimit 

ibm-slapdSortSrchAllowNonAdmin 

ibm-slapdSuffix 



ibm-slapdUseProcessIdPw 


ibm-slapdCachedAttribute 

ibm-slapdCachedAttributeSize 

ibm-slapdLanguageTagsEnabled 


Note: If you are using ibm-slapdUseProcessIdPw, you must modify the 
Schema to make ibm-slapdDbUserPW optional. 

cn=LDCF Backends 

DN cn=LDCF Backends, cn=IBM Directory, cn=Schemas, cn=Configuration 

Description 

This entry serves as a Container for the LDCF backends. It effectively 
replaces the database ldcf line from ibmslapd.conf by identifying all 
sub-entries as LDCF backends. This entry is not really necessary because 
the LDCF backends can be distinguished by the object dass 
ibm-slapdLdcfBackend. It is included to improve the readability of the DIT. 

Number 

1 (required) 

Object dass 

Container 

Mandatory Attributes 

• cn 

• objectClass 

Optional Attributes 

• |ibm-slapdPlugin 

cn=SchemaDB 

DN cn=SchemaDB, cn=LDCF Backends, cn=IBM Directory, cn=Schemas, 
cn=Configuration 

Description 

This entry contains all the database configuration data from the ldcf 
database section of ibmslapd.conf. 

Number 

1 (required) 

Object dass 

ibm-slapdLdcfBackend 

Mandatory Attributes 

• cn 
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objectClass 


Optional Attributes 


ibm-slapdPlugin 


ibm-slapdSuffix 


cn=SSL 

DN cn=SSL, cn=Configuration 

Description 

Global SSL connection settings for IBM Tivoli Directory Server 5.2. 

Number 

0 or 1 (optional) 

Object dass 

ibm-slapdSSL 

Mandatory Attributes 


cn 


ibm-slapdSecurity 


ibm-slapdSecurePort 

ibm-slapdSslAuth 


objectClass 



Optional Attributes 

• ibm-slapdSslCertificate 

• ibm-slapdSslCipherSpec 

Note: ibm-slapdSslCipherSpecs is now deprecated. Use 
ibm-slapdSslCipherSpec instead. If you use ibm- 
slapdSslCipherSpecs, the Server will convert to the supported 
attribute. 


ibm-slapdSslKeyDatabase 



ibm-slapdSslKeyDatabasePW 


ibm-slapdSslKeyRingFilePW 


ibm-slapdSslFIPsModeEnabled 


cn=CRL 

DN cn=CRL, cn=SSL, cn=Configuration 

Description 

This entry contains certificate revocation list data from the first section 
(global stanza) of ibmslapd.conf. It is needed only if "ibm-slapdSslAuth = 
serverclientauth" in the cn=SSL entry and the dient certificates have been 
issued for CRL Validation. 

Number 

0 or 1 (optional) 

Object dass 

ibm-slapdCRL 

Mandatory Attributes 

• cn 

• ibm-slapdLdapCrlHost 
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• ibm-slapdLdapCrlPort 

• objectClass 

Optional Attributes 

• ibm-slapdLdapCrlUser 

• ibm-slapdLdapCrlPassword 

cn=Transaction 

DN cn = Transaction, cn = Configuration 

Description 

Specifies Global transaction support settings. Transaction support is 
provided using the plugin: 

Windows 2000, or Windows NT opemting System: 

extendedop /bin/1ibtranext.dl 1 tranExtOpInit 1.3.18.0.2.12.5 
1.3.18.0.2.12.6 

AIX: 

extendedop /Iib/1ibtranext.a tranExtOpInit 1.3.18.0.2.12.5 
1.3.18.0.2.12.6 

Solaris opemting System: 

extendedop /lib/1ibtranext.so tranExtOpInit 1.3.18.0.2.12.5 
1.3.18.0.2.12.6 

The Server (slapd) loads this plug-in automatically at startup if 
ibm-slapdTransactionEnable = TRUE. The plug-in does not need to be 
explicitly added to ibmslapd.conf. 

Number 

0 or 1 (optional; required only if you want to use transactions.) 

Object dass 

ibm-slapdTransaction 

Mandatory Attributes 


cn 


ibm-slapdMaxNumOfTransactions 

ibm-slapdMaxOpPer Transaction 


ibm-slapdMaxTimeLimitOfTransactions 

ibm-slapdTransactionEnable 



objectClass 


Optional Attributes 

• None 


cn=Digest 

DN cn = Digest, cn = Configuration 

Description 

Global configuration entries for the DIGEST-MD5 SASL bind mechanism. 

Number 

0 or 1 (optional) 
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Object Class 

ibm-slapdDigest 


Mandatory Attributes 


• 

cn 


• 

objectClass 


Optional Attributes 


ibm-slapdDigestRealm 


ibm-slapdDigestAttr 



ibm-slapdDigestAdminUser 


cn=admin audit 

DN cn = admin audit, cn = Configuration 

Description 

Audit service configuration for the Server. 

Number 

0 or 1 (optional) 

Object Class 

ibm-auditConfig 

Mandatory Attributes 

• cn 

Optional Attributes 

• ibm-audit 

• ibm-auditAdd 

• ibm-auditBind 

• ibm-auditDelete 

• ibm-auditExtOpEvent 

• ibm-auditFailedOpOnly 

• ibm-auditLog 

• ibm-auditModify 

• ibm-auditModifyDN 

• ibm-auditSearch 

• ibm-auditUnbind 

• ibm-auditVersion 

• ibm-auditExtOp 

cn=Audit 

DN cn = admin audit, cn = Configuration 

Description 

Audit service configuration for the admin daemon. 

Number 

0 or 1 (optional) 

Object Class 

ibm-auditConfig 

Mandatory Attributes 
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• cn 

Optional Attributes 

• ibm-audit 

• ibm-auditAdd 

• ibm-auditBind 

• ibm-auditDelete 

• ibm-auditExtOpEvent 

• ibm-auditFailedOpOnly 

• ibm-auditLog 

• ibm-auditModify 

• ibm-auditModifyDN 

• ibm-auditSearch 

• ibm-auditUnbind 

• ibm-auditVersion 

• ibm-auditExtOp 

cn=Connection Management 

DN cn=Connection Management, cn^Front End, cn=Configuration 

Description 

Global connection settings 

Number 

0 or 1 (optional) 

Object dass 

ibm-slapdConnectionManagement 

Mandatory Attributes 

• cn 

• objectClass 

Optional Attributes 


ibm-slapdEThreadEnable 

ibm-slapdAllowAnon 



ibm-slapdAnonReapingThreshold 

ibm-slapdBoundReapingThreshold 

ibm-slapdAllReapingThreshold 

ibm-slapdldleTimeOut 


ibm-slapdWriteTimeout 

ibm-slapdESizeThreshold 


ibm-slapdETimeThreshold 


ibm-slapdEThreadActivatc 



Attributes 


• cn 


ibm-slapdACLCache 


ibm-slapdACLCacheSize 

ibm-slapdA dminDN 
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ibm-slapdAdminGroupEnabled 

ibm-slapdAdminPW 



ibm-slapdAllowAnoi 

1 

ibm-slapdAllReapingThresholc 

1 

ibm-slapdAnonReapingThreshold 

ibm-slapdBoundReapingThreshold 

ibm-slapdBulkloadErrors 



ibm-slapdCachedAttribut 

3 

ibm-slapdCachedAttributeSize 


ibm-slapdChangeLogMaxAge 

ibm-slapdChangeLogMaxEntries 

ibm-slapdCLIErrors 



ibm-slapdConcurrentRW 



• ibm-slapdDB2CP 


• ibm-slapdDB Alias 


ibm-slapdPbConnections 

ibm-slapdPblnstance 


ibm-slapdPbLocation 


ibm-slapdPbName 


ibm-slapdPbUserIP 

ibm-slapdPbUserPW 

ibm-slapdPerefAliase 

s 

ibm-slapdPigestAdminUser 

ibm-slapdPigestAttr 


ibm-slapdPigestReali 

TL 


• ibm-slapdEnableEventNotification 

• ibm-slapdEntryCacheSize 

• ibm-slapdErrorLog 

• ibm-slapdESizeThreshold 

• ibm-slapdEThreadActivate 

• ibm-slapdEThreadEnable 

• ibm-slapdETimeThreshold 


• ibm-slapdFilterCacheBypassLimit 


ibm-slapdFilterCacheSize 

3 


ibm-slapdldleTimeOut 


ibm-slapdlncludeSchemc 


ibm-slapdSslKeyRingFilePW 


ibm-slapdKrbAdminPN 



ibm-slapdKrbEnable 



ibm-slapdKrbldentityMa 

P 

ibm-slapdKrbKeyTat 



ibm-slapdKrbRealm 



ibm-slapdLanguageTagsEnabled 

ibm-slapdLdapCrlHost 



ibm-slapdLdapCrlPassword 
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ibm-slapdLdapCrlPort 

ibm-slapdLdapCrlUser 

ibm-slapdMasterDN 


ibm-slapdMasterPW 


• ibm-slapdMasterReferral 


ibm-slapdMaxEventsPerConnection 


ibm-slapdMaxEventsTota] 



ibm-slapdMaxNumOfTransactions 

ibm-slapdMaxOpPerTransaction 

ibm-slapdMaxPendingChangesDisplayed 

ibm-slapdMaxTimeLimitOfTransactions 

ibm-slapdPagedResAllowNonAdmir 



• ibm-slapdPagedResLmt 


ibm-slapdPageSizeLmt 


ibm-slapdPlugin 


ibm-slapdPort 


ibm-slapdPwEncryption 


ibm-slapdReadOn’ 

I 

ibm-slapdReferral 


ibm-slapdReplDbConns 


ibm-slapdReplicaSubtre 

3 

ibm-slapdSchemaAdditions 

ibm-slapdSchemaCheck 


ibm-slapdSecurePc 

>rt 

ibm-slapdSecurity 


ibm-slapdServerld 


ibm-slapdSetenv 


ibm-slapdSizeLimi 

t 

ibm-slapdSortKeyLimit 


ibm-slapdSortSrchAllowNonAdmin 

ibm-slapdSslAuth 


ibm-slapdSslCertificate 


ibm-slapdSslCipherSpec 



ibm-slapdSslFIPsModeEnablec 

i 

ibm-slapdSslKeyDatabase 



ibm-slapdSslKeyDatabasePW 


ibm-slapdSslKeyRingFile 



ibm-slapdStartupTraceEnablec 


ibm-slapdSuffixJ 

ibm-slapdSupportedWebAdmVersion 

i b m - s 1 a p d S v s L o g L e v c 

>1 


ibm-slapdTimeLimit 




ibm-slapdTraceMessageLevel 


ibm-slapdTraceMessageLog 


ibm-slapdTransactionEnable 
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• ibm-slapdUseProcessIdPw 

• ibm-slapdVersion 


• ibm-slapdWriteTimeout 

• objectClass 



cn 


Description 

This is the X.500 common Name attribute, which contains a name of an 
object. 

Syntax 

Directory string 

Maximum Length 

256 

Value Multi-valued 

ibm-slapdACLCache 

Description 

Controls whether or not the Server Caches ACL information. 

• If set to TRUE, the Server Caches ACL information. 

• If set to FALSE, the Server does not cache ACL information. 

Default 

TRUE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdACLCacheSize 

Description 

Maximum number of entries to keep in the ACL Cache. 

Default 

25000 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdAdminDN 

Description 

The administrator bind DN for IBM Tivoli Directory Server Server. 

Default 

cn=root 
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Syntax 


DN 

Maximum Length 

Unlimited 

Value Single-valued 

ibm-slapdAdminGroupEnabled 

Description 

Specifies whether the Administrative Group is currently enabled. If set to 
TRUE, the Server will allow users in the administrative group to log in. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

128 

Value Single-valued 

ibm-slapdAdminPW 

Description 

The administrator bind password for IBM Tivoli Directory Server Server. 

Default 

secret 


Syntax 

Binary 

Maximum Length 

128 

Value Single-valued 

ibm-slapdAllowAnon 

Description 

Specifies if anonymous binds are allowed. 

Default 

True 


Syntax 

Boolean 

Maximum Length 

128 

Value Single-valued 

ibm-slapdAIIReapingThreshold 

Description 

Specifies a number of connections to maintain in the Server before 
connection management is activated. 
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Default 


1200 


Syntax 

Directory string with case-exact matching. 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdAnonReapingThreshold 

Description 

Specifies a number of connections to maintain in the Server betöre 
connection management of anonymous connections is activated. 

Default 

0 


Syntax 

Directory string with case-exact matching. 

Maximum Length 

1024 

Value Single-valued 


ibm-slapdBoundReapingThreshold 


Description 

Specifies a number of connections to maintain in the Server before 
connection management of anonymous and bound connections is activated. 


Default 

1100 


Syntax 

Directory string with case-exact matching. 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdBulkloadErrors 

Description 

File path or device on ibmslapd host machine to which bulkload error 
messages will be written. On Windows, forward slashes are allowed, and a 
leading slash not preceded by a drive letter is assumed to be rooted at the 
Installation directory (for example, /tmp/bulkload.errors = D:\Program 
Files \ IBM\ ldap \ tmp \bulkload .errors). 

Default 

/ var/bulkload.log 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 


160 


IBM Tivoli Directory Server: Installation and Configuration Guide 


ibm-slapdCached Attribute 

Description 

Contains the names of the attributes to be cached in the attribute cache, 
one attribute name per value. 

Default 

None 


Syntax 

Directory String 

Maximum Length 

256 

Value Multi-valued 

ibm-slapdCachedAttributeSize 

Description 

Amount of memory, in bytes, that can be used by the attribute cache. A 
value of 0 indicates not use an attribute cache. 

Default 

0 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued. 

ibm-slapdChangeLogMaxAge 

Description 

Specifies the maximum age of changelog entries, in hours, allowed in the 
associated backend. Each changelog backend has its own 
ibm-slapdChangeLogMaxAge attribute. If the attribute is undefined or out 
of ränge (negative), it defaults to 0. Can be between 0 (no limit) and 
2,147,483,647. 

Default 

0 

Syntax 

Signed Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdChangeLogMaxEntries 

Description 

This attribute is used by a changelog plug-in to specify the maximum 
number of changelog entries allowed in the RDBM database. Each 
changelog has its own changeLogMaxEntries attribute. 

Minimum = 0 (unlimited) 

Maximum = 2,147,483,647 (32-bit, signed integer) 
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Default 

0 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdCLIErrors 

Description 

File path or device on ibmslapd host machine to which CLI error messages 
will be written. On Windows, forward slashes are allowed, and a leading 
slash not preceded by a drive letter is assumed to be rooted at the install 
directory (for example, /tmp/cli.errors = D:\Program 
Files \ IBM\ ldap \ tmp \ cli. errors). 

Default 

/var/db2cli.log 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdConcurrentRW 

Description 

Setting this attribute to TRUE allows searches to proceed simultaneously 
with Updates. It allows for 'dirty reads', that is, results that might not be 
consistent with the committed state of the database. 

Attention: This attribute is deprecated. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdDB2CP 

Description 

Specifies the code page of the directory database. 1208 is the code page for 
UTF-8 databases. 

Syntax 

Directory string with case-exact matching 

Maximum Length 

11 
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Value Single-valued 

ibm-slapdDBAIias 

Description 

The DB2 database alias. 


Syntax 

Directory string with case-exact matching 

Maximum Length 

8 

Value Single-valued 

ibm-slapdDbConnections 

Description 

Specify the number of DB2 connections the Server will dedicate to the DB2 
backend. The value must be between 5 & 50 (inclusive). 

Note: ODBCCONS environment variable Overrides the value of this 
directive. 

If ibm-slapdDbConnections (or ODBCCONS) is less than 5 or greater than 
50, the Server will use 5 or 50 respectively. One additional Connection will 
be created for replication (even if no replication is defined). 2 additional 
connections will be created for the change log (if change log is enabled). 

Default 

15 


Syntax 

Integer 

Maximum Length 

50 

Value Single-valued 

ibm-slapdDblnstance 

Description 

Specifies the DB2 database instance for this backend. 

Default 

ldapdb2 

Syntax 

Directory string with case-exact matching 

Maximum Length 

8 

Value Single-valued 

Note: All ibm-slapdRdbmBackend objects must use the same 

ibm-slapdDblnstance, ibm-slapdDbUserID, ibm-slapdDbUserPW and 
DB2 character set. 
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ibm-slapdDbLocation 

Description 

The file System path where the backend database is located. Qn UNIX, this 
is usually the home directory of the DB2 instance owner (for example, 
/home/ldapdb2). On Windows, it is a drive (for example, D:). 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdDbName 

Description 

Specifies the DB2 database name for this backend. 

Default 

ldapdb2 

Syntax 

Directory string with case-exact matching 

Maximum Length 

8 

Value Single-valued 

ibm-slapdDbllserlD 

Description 

Specifies the user name with which to bind to the DB2 database for this 
backend. 

Default 

ldapdb2 

Syntax 

Directory string with case-exact matching 

Maximum Length 

8 

Value Single-valued 

Note: All ibm-slapdRdbmBackend objects must use the same 

ibm-slapdDblnstance ibm-slapdDbUserID, ibm-slapdDbUserPW and 
DB2 character set. 

ibm-slapdDbUserPW 

Description 

Specifies the user password with which to bind to the DB2 database for 
this backend. The password can be plain text or imask encrypted. 

Default 

ldapdb2 

Syntax 

Binary 
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Maximum Length 

128 

Value Single-valued 

Note: All ibm-slapdRdbmBackend objects must use the same 

ibm-slapdDblnstance, ibm-slapdDbUserID, ibm-slapdDbUserPW and 
DB2 character set. 

ibm-slapdDerefAliases 

Description 

Maximum alias dereferencing level on search requests, regardless of any 
derefAliases that may have been specified on the dient requests. Allowed 
values are never, find, search and always. 

Default 

always 

Syntax 

Directory String 

Maximum Length 

6 

Value Single-valued 

ibm-slapdDigestAdminUser 

Description 

Specifies the Digest MD5 User Name of the LDAP administrator or 
administrative group member. Used when MD5 Digest authentication is 
used to authenticate an administrator. 


Default 

None 


Syntax 

Directory String 

Maximum Length 

512 

Value Single-valued 

ibm-slapdDigestAttr 

Description 

Overrides the default DIGEST-MD5 username attribute. The name of the 
attribute to use for DIGEST-MD5 SASL bind username lookup. If the value 
is not specified, the Server uses uid. 

Default 

If not specified, the Server uses uid. 

Syntax 

Directory string. 

Maximum Length 

64 

Value Single-valued 
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ibm-slapdDigestRealm 

Description 

Overrides the default DIGEST-MD5 realm. A string that can enable users to 
know which username and password to use, in case they might have 
different ones for different Servers. Conceptually, it is the name of a 
collection of accounts that might include the users account. This string 
should contain at least the name of the host performing the authentication 
and might additionally indicate the collection of users who might have 
access. An example might be registered_users@gotham.news.example.com. 
If the attribute is not specified, the Server uses the fully qualified hostname 
of the Server. 


Default 

The fully qualified hostname of the Server 

Syntax 

Directory string. 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdEnableEventNotification 

Description 

Specifies whether to enable Event Notification. It must be set to either 
TRUE or FALSE. 

If set to FALSE, the Server rejects all dient requests to register event 
notifications with the extended result LDAP_UNWILLING_TO_PERFORM. 

Default 

TRUE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdEntryCacheSize 

Description 

Maximum number of entries to keep in the entry cache. 

Default 

25000 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 
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ibm-slapdErrorLog 

Description 

Specifies the file path or device on the IBM Tivoli Directory Server Server 
machine to which error messages are written. On Windows 2000 or 
Windows NT operating Systems, forward slashes are allowed, and a 
leading slash not preceded by a drive letter is assumed to be rooted at the 
installation directory, that is /tmp/slapd.errors = c:\Program 
Files\IBM\ldap\var\ibmslapd.log. 

Default 

/var/ibmslapd.log 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdESizeThreshold 

Description 

Specifies the number of work items on the work queue before the 
Emergency thread is activated. 

Default 

50 

Syntax 

Integer 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdEThreadActivate 

Description 

Specifies which conditions will activate the Emergency Thread. Must be set 
to one of the following values: 


s 

Size only 

T 

Time only 

SOT 

Size or time 

SAT 

Size and time 

Default 

SAT 


Syntax 

String 


Maximum Length 


1024 


Value Single-valued 
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ibm-slapdEThreadEnable 

Description 

Specifies if the Emergency Thread is active. 

Default 

True 


Syntax 

Boolean 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdETimeThreshold 

Description 

Specifies the amount of time in minutes between items removed from the 
work queue before the Emergency thread is activated. 

Default 

5 

Syntax 

Integer 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdFilterCacheBypassLimit 

Description 

Search filters that match more than this number of entries will not be 
added to the Search Filter cache. Because the list of entry IDs that matched 
the filter are included in this cache, this setting helps to limit memory use. 
A value of 0 indicates no limit. 

Default 

100 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdFilterCacheSize 

Description 

Specifies the maximum number of entries to keep in the Search Filter 
Cache. 

Default 

25000 

Syntax 

Integer 
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Maximum Length 

11 

Value Single-valued 

ibm-slapdldleTimeOut 

Description 

Maximum time to keep an LDAP cormection open when there is no 
activity on the cormection. The idle time for an LDAP connection is the 
time (in seconds) between the last activity on the connection and the 
current time. If the connection has expired, based on the idle time being 
greater than the value of this attribute, the LDAP Server will clean up and 
end the LDAP connection, making it available for other incoming requests. 

Default 

300 

Syntax 

Integer 

Length 

11 

Count Single 

Usage Directory Operation 

User Modify 

Yes 

Access dass 

Critical 

Required 

No 

ibm-slapdlncludeSchema 

Description 

Specifies a file path on the IBM Tivoli Directory Server Server machine 
containing Schema definitions. On Windows 2000, Windows NT, or 
Windows XP operating Systems, forward slashes are allowed, and a 
leading slash not preceded by a drive letter (D:) is assumed to be rooted at 
the Installation directory; that is, /etc/V3.system.at = 

D:\Program Files\IBM\ldap\etc\V3.System.at. 

Default 

/etc/V3.system.at 
/etc/V3.system.oc 
/ etc/V3.config.at 
/ etc/V3.config.oc 
/ etc/V3.ibm.at 
/etc/V3.ibm.oc 
/ etc/V3.user.at 
/etc/V3.user.oc 
/etc/V3.1dapsyntaxes 
/ etc/V3.matchingrules 
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Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Multi-valued 

ibm-slapdSslKeyRingFilePW 

Description 

Specifies the password associated with the LDAP server's SSL key database 
file, as specified on the ibm-slapdSslKeyRingFile parameter. If the LDAP 
server's key database file has an associated password stash file, then the 
ibm-slapdSslKeyRingFilePW parameter can be omitted or set to 
i bm-sl apdSsl KeyRingFi 1 ePW = none. 

Note: The password stash file must be located in the same directory as the 
key database file and it must have the same file name as the key 
database file, but with an extension of .sth instead of .kdb. 

Default 

None. 


Syntax 

Directory string 

Maximum Length 

128 

Value Single-valued 

ibm-slapdKrbAdminDN 

Description 

Specifies the Kerberos ID of the LDAP administrator (for example, 
ibm-kn=adminl@realml). Used when Kerberos authentication is used to 
authenticate the administrator when logged onto the Server Administration 
interface. This attribute might be specified instead of or in addition to 
adminDN and adminPW. 


Default 

No preset default is defined. 

Syntax 

Directory string with case-exact matching 

Maximum Length 

128 

Value Single-valued 

ibm-slapdKrbEnable 

Description 

Specifies whether the Server Supports Kerberos authentication. It must be 
either TRUE or FALSE. 

Default 

TRUE 
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Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdKrbldentityMap 

Description 

Specifies whether to use Kerberos identity mapping. It must be set to either 
TRUE or FALSE. If set to TRUE, when a client is authenticated with a 
Kerberos ID, the Server searches for all local users with matching Kerberos 
credentials, and adds those user DNs to the bind credentials of the 
connection. This allows ACLs based on LDAP user DNs to still be usable 
with Kerberos authentication. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdKrbKeyTab 

Description 

Specifies the LDAP Server Kerberos keytab file. This file contains the LDAP 
Server private key, that is associated with its Kerberos account. This file is 
to be protected (like the Server SSL key database file). 

On Windows 2000, Windows NT, or Windows XP operating Systems, 
forward slashes are allowed, and any path not preceded by a drive letter. 
(D:) is assumed to be rooted at the installation directory (that is: 
/tmp/slapd.errors = D:\Program Files\IBM\ldap\tmp\slapd.errors). 

Default 

No preset default is defined. 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdKrbRealm 

Description 

Specifies the Kerberos realm of the LDAP Server. It is used to publish the 
ldapservicename attribute in the root DSE. Note that an LDAP Server can 
serve as the repository of account Information for multiple KDCs (and 
realms), but the LDAP Server, as a Server that is using Kerberos, can only 
be a member of a single realm. 
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Default 


No preset default is defined. 

Syntax 

Directory string with case-insensitive matching 

Maximum Length 

256 

Value Single-valued 

ibm-slapdLanguageTagsEnabled 

Description 

Whether or not the Server should allow language tags. The value read 
from the ibmslapd.conf file for this attribute is FALSE, but, can be set to 
TRUE. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdLdapCrIHost 

Description 

Specifies the host name of the LDAP Server that contains the Certificate 
Revocation Lists (CRLs) for validating dient x.509v3 certificates. This 
parameter is needed when ibm-slapdSslAuth=serverclientauth and the 
dient certificates have been issued for CRL validation. 


Default 

No preset default is defined. 

Syntax 

Directory string with case-insensitive matching 

Maximum Length 

256 

Value Single-valued 

ibm-slapdLdapCrIPassword 

Description 

Specifies the password that server-side SSL uses to bind to the LDAP 
Server that contains the Certificate Revocation Lists (CRLs) for validating 
dient x.509v3 certificates. This parameter might be needed when 
ibm-slapdSslAuth=serverclientauth and the dient certificates have been 
issued for CRL validation. 

Note: If the LDAP Server holding the CRLs permits unauthenticated access 
to the CRLs (that is, anonymous access), then ibm- 
slapdLdapCrlPassword is not required. 
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Default 


No preset default is defined. 

Syntax 

Binary 

Maximum Length 

128 

Value Single-valued 

ibm-slapdLdapCrIPort 

Description 

Specifies the port used to connect to the LDAP Server that contains the 
Certificate Revocation Lists (CRLs) for validating dient x.509v3 certificates. 
This parameter is needed when ibm-slapdSslAuth=serverclientauth and the 
dient certificates have been issued for CRL validation. (IP ports are 
unsigned, 16-bit integers in the ränge 1 - 65535) 

Default 

No preset default is defined. 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdLdapCrIUser 

Description 

Specifies the bindDN that the server-side SSL uses to bind to the LDAP 
Server that contains the Certificate Revocation Lists (CRLs) for validating 
dient x.509v3 certificates. This parameter might be needed when 
ibm-slapdSslAuth=serverclientauth and the dient certificates have been 
issued for CRL validation. 

Note: If the LDAP Server holding the CRLs permits unauthenticated access 
to the CRLs (that is, anonymous access), then ibm-slapdLdapCrIUser 
is not required. 

Default 

No preset default is defined. 

Syntax 

DN 

Maximum Length 

1000 

Value Single-valued 

ibm-slapdMasterDN 

Description 

Specifies the bind DN of master Server. The value must match the 
replicaBindDN in the replicaObject defined for the master Server. When 
Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must 
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specify the DN representation of the Kerberos ID (for example, 
ibm-kn=freddy@realml). When Kerberos is used, MasterServerPW is 
ignored. 

Default 

No preset default is defined. 

Syntax 

DN 

Maximum Length 

1000 

Value Single-valued 

ibm-slapdMasterPW 

Description 

Specifies the bind password of master replica Server. The value must match 
replicaBindDN in the replicaObject defined for the master Server. When 
Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must 
specify the DN representation of the Kerberos ID (for example, 
ibm-kn=freddy@realml). When Kerberos is used, MasterServerPW is 
ignored. 

Default 

No preset default is defined. 

Syntax 

Binary 

Maximum Length 

128 

Value Single-valued 

ibm-slapdMasterReferral 

Description 

Specifies the URL of the master replica Server. For example: 
ldap://master.us. ibm.com 

For security set to SSL only: 
ldaps://master.us. ibm.com: 636 

For security set to none and use a nonstandard port: 
ldap://master.us. ibm.com: 1389 

Default 

none 


Syntax 

Directory string with case-insensitive matching 

Maximum Length 

256 

Value Single-valued 
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ibm-slapdMaxEventsPerConnection 

Description 

Specifies the maximum number of event notifications that can be registered 
per connection. 

Minimum = 0 (unlimited) 

Maximum = 2,147,483,647 

Default 

100 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdMaxEventsTotal 

Description 

Specifies the maximum total number of event notifications that can be 
registered for all connections. 

Minimum = 0 (unlimited) 

Maximum = 2,147,483,647 

Default 

0 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdMaxNumOfTransactions 

Description 

Specifies the maximum number of transactions per Server. 

Minimum = 0 (unlimited) 

Maximum = 2,147,483,647 

Default 

20 


Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdMaxOpPerTransaction 

Description 

Specifies the maximum number of operations per transaction. 

Minimum = 0 (unlimited) 

Maximum = 2,147,483,647 
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Default 

5 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdMaxPendingChangesDisplayed 

Description 

Maximum number of pending changes to be displayed. 

Default 

200 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdMaxTimeLimitOfTransactions 

Description 

Specifies the maximum timeout value of a pending transaction in seconds. 

Minimum = 0 (unlimited) 

Maximum = 2,147,483,647 

Default 

300 

Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdPagedResAllowNonAdmin 

Description 

Whether or not the Server should allow non-administrator bind for paged 
results requests on a search request. If the value read from the 
ibmslapd.conf file is FALSE, the Server will process only those dient 
requests submitted by a user with administrator authority. If a dient 
requests paged results for a search Operation, does not have administrator 
authority, and the value read from the ibmslapd.conf file for this attribute 
is FALSE, the Server will return to the dient with return code 
insuffidentAccessRights; no searching or paging will be performed. 

Default 

FALSE 


Syntax 

Boolean 
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Length 

5 

Count Single 

Usage directoryOperation 

User Modify 

Yes 

Access dass 
critical 

Objectclass 

ibm-slapdRdbmBackend 

Required 

No 

ibm-slapdPagedResLmt 

Description 

Maximum number of outstanding paged results search requests allowed 
active simultaneously. Range = 0.... If a dient requests a paged results 
Operation, and a maximum number of outstanding paged results are 
currently active, then the Server will return to the dient with return code 
of busy; no searching or paging will be performed. 

Default 

3 

Syntax 

Integer 

Length 

11 

Count Single 

Usage directoryOperation 

User Modify 

Yes 

Access dass 
critical 

Required 

No 

Objectclass 

ibm-slapdRdbmBackend 

ibm-slapdPageSizeLmt 

Description 

Maximum number of entries to return from a search for an individual page 
when paged results control is specified, regardless of any pagesize that 
might have been specified on the dient search request. Range = 0.... If a 
dient has passed a page size, then the smaller value of the dient value and 
the value read from ibmslapd.conf will be used. 

Default 

50 
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Syntax 

Integer 

Length 

11 

Count Single 

Usage directoryOperation 

User Modify 

Yes 

Access dass 
critical 

Required 

No 

Objectclass 

ibm-slapdRdbmBackend 

ibm-slapdPlugin 

Description 

A plug-in is a dynamically loaded library that extends the capabilities of 
the Server. An ibm-slapdPlugin attribute specifies to the Server how to load 
and initialize a plug-in library. The Syntax is: 
keyword filename init_function [argrs...] 

The syntax is slightly different for each platform because of library naming 
conventions. See the Server Plug-ins Reference for a list of plug-ins included 
with IBM Tivoli Directory Server. 

Most plug-ins are optional, but the RDBM backend plug-in is required for 
all RDBM backends. 


Default 

database /bin/libback-rdbm.dll rdbm_backend_init 

Syntax 

Directory string with case-exact matching 

Maximum Length 

2000 

Value Multi-valued 

ibm-slapdPort 

Description 

Specifies the TCP/IP port used for non-SSL connections. It cannot have the 
same value as ibm-slapdSecurePort. (IP ports are unsigned, 16-bit integers 
in the ränge 1 - 65535.) 

Default 

389 

Syntax 

Integer 

Maximum Length 

5 
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Value Single-valued 


ibm-slapdPWEncryption 

Description 

Specifies the encoding mechanism for the user passwords before they are 
stored in the directory. It must be specified as none, imask, crypt, or sha 
(you must use the keyword sha in order to get SHA-1 encoding). The 
value must be set to none for the SASL cram-md5 bind to succeed. 


Default 

none 


Syntax 

Directory string with case-insensitive matching 

Maximum Length 

5 

Value Single-valued 


ibm-slapdReadOnly 

Description 

This attribute is normally applied to only the Directory backend. It 
specifies whether the backend can be written to. It must be specified as 
either TRUE or FALSE. It defaults to FALSE if unspecified. If set to TRUE, 
the Server returns LDAP_UNWILLING_TO_PERFORM (0x35) in response 
to any dient request that changes data in the readOnly database. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdReferral 

Description 

Specifies the referral LDAP URL to pass back when the local suffixes do 
not match the request. It is used for superior referral (that is, the suffix is 
not within the naming context of the Server). 

Default 

No preset default is defined. 

Syntax 

Directory string with case-exact matching 

Maximum Length 

32700 

Value Multi-valued 

ibm-slapdRepIDbConns 

Description 

Maximum number of database connections for use by replication. 
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Default 

4 


Syntax 

Integer 

Maximum Length 

11 

Value Single-valued 

ibm-slapdReplicaSubtree 

Description 

Identifies the DN of a replicated subtree 

Syntax 

DN 

Maximum Length 

1000 

Value Single-valued 

ibm-slapdSchemaAdditions 

Description 

The ibm-slapdSchemaAdditions attribute is used to identify explicitly 
which file holds new Schema entries. This attribute is set by default to be 
/etc/V3.modifiedschema. If this attribute is not defined, the Server reverts 
to using the last ibm-slapdlncludeSchema file as in previous releases. 

Before Version 3.2, the last includeSchema entry in slapd.conf was the file 
to which any new Schema entries were added by the Server if it received 
an add request from a dient. Normally the last includeSchema is the 
V3.modifiedschema file, which is an empty file installed just for this 
purpose. 

Note: The name modified is misleading, for it only stores new entries. 

Changes to existing Schema entries are made in their original files. 

Default 

/ etc / V3 .modif iedschema 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdSchemaCheck 

Description 

Specifies the Schema checking mechanism for the add/modify/delete 
Operation. It must be specified as V2, V3, or V3_lenient. 

• V2 - Retain v2 and v2.1 checking. Recommended for migration purpose. 

• V3 - Perform v3 checking. 

• V3_lenient - Not all parent object classes are needed. Only the 
immediate object dass is needed when adding entries. 
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Default 


V3_lenient 

Syntax 

Directory string with case-insensitive matching 

Maximum Length 

10 

Value Single-valued 

ibm-slapdSecurePort 

Description 

Specifies the TCP/IP port used for SSL Connections. It cannot have the 
same value as ibm-slapdPort. (IP ports are unsigned, 16-bit integers in the 
ränge 1 - 65535.) 

Default 

636 


Syntax 

Integer 

Maximum Length 

5 

Value Single-valued 

ibm-slapdSecurity 

Description 

Enables SSL connections. Must be none, SSL, or SSLOnly. 

• none - Server listens on the non-ssl port only. 

• SSL - Server listens on both the ssl and the non-ssl ports. 

• SSLQnly - Server listens on the ssl port only. 

Default 

none 


Syntax 

Directory string with case-insensitive matching 

Maximum Length 

7 

Value Single-valued 

ibm-slapdServerld 

Description 

Identifies the Server for use in replication. 

Syntax 

IA5 String with case-sensitive matching 

Maximum Length 

240 

Value Single-valued 
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ibm-slapdSetenv 

Description 

The Server runs putenvO for all values of ibm-slapdSetenv at startup to 
modify the Server runtime environment. Shell variables (like %PATH% or 
$LANG) are not expanded. 

Default 

No preset default is defined. 

Syntax 

Directory string with case-exact matching 

Maximum Length 

2000 

Value Multi-valued 

ibm-slapdSizeLimit 

Description 

The maximum number of entries to return from search, regardless of any 
size limit that might have been specified on the dient search request 
(Range = 0...). If a dient has passed a limit, then the smaller value of the 
dient values and the value read from the ibmslapd.conf file are used. If a 
dient has not passed a limit and has bound as admin DN, the limit is 
considered unlimited. If the dient has not passed a limit and has not 
bound as admin DN, then the limit is that which was read from the 
ibmslapd.conf file. 0 = unlimited. 

Default 

500 

Syntax 

Integer 

Maximum Length 

12 

Value Single-valued 

ibm-slapdSortKeyLimit 

Description 

The maximum number of sort conditions (keys) that can be specified on a 
single search request. Range = 0.... If a dient has passed a search request 
with more sort keys than the limit allows, and the sorted search control 
criticality is FALSE, then the Server will honor the value read from the 
ibmslapd.conf file and ignore any sort keys encountered after the limit has 
been reached - searching and sorting will be performed. If a dient has 
passed a search a request with more keys than the limit allows, and the 
sorted search control criticality is TRUE, then the Server will return to the 
dient with a return code of adminLimitExceeded - no searching or sorting 
will be performed. 

Default 

3 


Syntax 

cis 
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Length 

11 

Count Single 

Usage directoryOperation 

User Modify 

Yes 

Access dass 
critical 

Objectclass 

ibm-slapdRdbmBackend 

Required 

No 

ibm-slapdSortSrchAllowNonAdmin 

Description 

Whether or not the Server should allow non-administrator bind for sort on 
a search request. If the value read from the ibmslapd.conf file is FALSE, the 
Server will process only those dient requests submitted by a user with 
administrator authority. If a dient requests sort for a search Operation, does 
not have administrator authority, and the value read from the 
ibmslapd.conf file for this attribute is FALSE, the Server will return to the 
dient with return code insufficientAccessRights - no searching or sorting 
will be performed. 

Default 

FALSE 

Syntax 

Boolean 

Length 

5 

Count Single 

Usage directoryOperation 

User Modify 

Yes 

Access dass 
critical 

Objectclass 

ibm-slapdRdbmBackend 

Required 

No 

ibm-slapdSslAuth 

Description 

Specifies the authentication type for the SSL connection, either serverauth 
or serverclientauth. 

• serverauth - Supports Server authentication at the dient. This is the 
default. 
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• serverclientauth - Supports both Server and dient authentication. 


Default 

serverauth 


Syntax 

Directory string with case-insensitive matching 

Maximum Length 

16 

Value Single-valued 

ibm-slapdSsICertificate 

Description 

Specifies the label that identifies the Server Personal Certificate in the key 
database file. This label is specified when the Server private key and 
certificate are created with the gsk4ikm application. If 
ibm-slapdSsICertificate is not defined, the default private key, as defined in 
the key database file, is used by the LDAP Server for SSL connections. 

Default 

No preset default is defined. 

Syntax 

Directory string with case-exact matching 

Maximum Length 

128 

Value Single-valued 

ibm-slapdSsICipherSpec 

Specifies the method of SSL encryption for clients accessing the Server. Must be set 
to one of the following: 


Table 5. Methods of SSL encryption 


Attribute 

Encryption level 

TripleDES-168 

Triple DES encryption with a 168-bit key 
and a SHA-1 MAC 

DES-56 

DES encryption with a 56-bit key and a 
SHA-1 MAC 

RC4-128-SHA 

RC4 encryption with a 128-bit key and a 
SHA-1 MAC 

RC4-128-MD5 

RC4 encryption with a 128-bit key and a 

MD5 MAC 

RC2-40-MD5 

RC4 encryption with a 40-bit key and a MD5 
MAC 

RC4-40-MD5 

RC4 encryption with a 40-bit key and a MD5 
MAC 

AES 

AES encryption 


Syntax 

IA5 String 

Maximum Length 

30 
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ibm-slapdSslFIPsModeEnabled 

Description 

If TRUE, specifies that the Server will use the ICC version of GSKit; if 
FALSE, specifies that the Server will use the BSAFE version. 

Default 

Varies by platform 

Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdSslKeyDatabase 

Description 

Specifies the file path to the LDAP Server SSL key database file. This key 
database file is used for handling SSL Connections from LDAP clients, as 
well as for creating secure SSL Connections to replica LDAP Servers. 

Qn Windows 2000, Windows NT, or Windows XP operating Systems, 
forward slashes are allowed, and a leading slash not preceded by a drive 
specifier (D:) is assumed to be rooted at the installation directory (that is, 
/etc/key.kdb = D:\Program Files\IBM\ldap\etc\key.kdb). 

Default 

/etc/key.kdb 

Syntax 

Directory string with case-exact matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdSslKeyDatabasePW 

Description 

Specifies the password associated with the LDAP Server SSL key database 
file, as specified on the ibm-slapdSslKeyDatabase parameter. If the LDAP 
Server key database file has an associated password stash file, then the 
ibm-slapdSslKeyDatabasePW parameter can be omitted, or set to none. 

Note: The password stash file must be located in the same directory as the 
key database file and it must have the same file name as the key 
database file, but with an extension of .sth instead of .kdb. 

Default 

none 


Syntax 

Binary 

Maximum Length 

128 

Value Single-valued 
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ibm-slapdSslKeyRingFile 

Description 

Path to the LDAP server's SSL key database file. This key database file is 
used for handling SSL connections from LDAP clients, as well as for 
creating secure SSL connections to replica LDAP Servers. On Windows, 
forward slashes are allowed, and a leading slash not preceded by a drive 
specifier is assumed to be rooted at the installation directory (for example, 
/etc/key.kdb = c:\Program Files\IBM\ldap\etc\key.kdb). 

Default 

key.kdb 

Syntax 

Directory String with case-sensitive matching 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdStartupTraceEnabled 

Description 

Specifies whether trace Information is to be collected at Server startup. 
Must be TRUE or FALSE. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdSuffix 

Description 

Specifies a naming context to be stored in this backend. 

Note: This has the same name as the object dass. 

Default 

No preset default is defined. 

Syntax 

DN 

Maximum Length 

1000 

Value Multi-valued 

ibm-slapdSupportedWebAdmVersion 

Description 

This attribute defines the earliest version of the Web Administration Tool 
that Supports this Server of cn=configuration. 

Default 
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Syntax 

Directory String 
Maximum Length 
Value Single-valued 

ibm-slapdSysLogLevel 

Description 

Specifies the level at which debugging and Operation statistics are logged 
in the slapd.errors file. It must be specified as 1, m, or h. 

• h - high (provides the most information) 

• m - medium (the default) 

• 1 - low (provides the least information) 

Default 

m 


Syntax 

Directory string with case-insensitive matching 

Maximum Length 

1 

Value Single-valued 

ibm-slapdTimeLimit 

Description 

Specifies the maximum number of seconds to spend on a search request, 
regardless of any time limit that might have been specified on the dient 
request. If a dient has passed a limit, then the smaller value of the dient 
values and the value read from ibmslapd.conf are used. If a dient has not 
passed a limit and has bound as admin DN, the limit is considered 
unlimited. If the dient has not passed a limit and has not bound as admin 
DN, then the limit is that which was read from the ibmslapd.conf file. 0 = 
unlimited. 


Default 

900 

Syntax 

Integer 

Maximum Length 
Value Single-valued 

ibm-slapdTraceMessageLevel 

Description 

Sets the debug message level. Use the command ibmslapd -h ? to see the 
available levels. 

Default 

OxFFFF (or 65535) 

Syntax 

Directory string 
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Maximum Length 

16 

Value Single-valued 

ibm-slapdTraceMessageLog 

Description 

File path or device on the ibmslapd host Computer to which LDAP C API 
and Debug macro messages will be written. On Windows, forward slashes 
are allowed, and a leading slash not preceded by a drive letter is assumed 
to be rooted at the Installation directory (for example, /tmp/ tracemsg.log = 
C: \Program Files \IBM\ldap \ tmp \tracemsg.log). 

Default 

Varies by platform 

Syntax 

Directory String 

Maximum Length 

1024 

Value Single-valued 

ibm-slapdTransactionEnable 

Description 

If the transaction plug-in is loaded but ibm-slapdTransactionEnable is set 
to FALSE, the Server rejects all StartTransaction requests with the response 
LDA P_U NW IL LI NG_T0_P E R F0 RM. 

Default 

TRUE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 

ibm-slapdllseProcessIdPw 

Description 

If set to TRUE, the Server ignores the ibm-slapdDbUserID and the 
ibm-slapdDbUserPW attributes and uses its own process credentials to 
authenticate to DB2. 

Default 

FALSE 


Syntax 

Boolean 

Maximum Length 

5 

Value Single-valued 
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ibm-slapdVersion 

Description 

IBM Slapd version Number 

Default 

Syntax 

Directory String with case-sensitive matching 

Maximum Length 
Value Single-valued 

ibm-slapdWriteTimeout 

Description 

Specifies a timeout value in seconds for blocked writes. When the time 
limit is reached the connection will be dropped. 

Default 

120 

Syntax 

Integer 

Maximum Length 

1024 

Value Single-valued 

objectClass 

Description 

The values of the objectClass attribute describe the kind of object that an 
entry represents. 

Syntax 

Directory string 

Maximum Length 

128 

Value Multi-valued 
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Appendix L. Notices 


This information was developed for products and Services offered in the U.S.A. 
IBM might not öfter the products, Services, or features discussed in this document 
in other countries. Consult your local IBM representative for information on the 
products and Services currently available in your area. Any reference to an IBM 
product, program, or Service is not intended to state or imply that only that IBM 
product, program, or Service may be used. Any functionally equivalent product, 
program, or Service that does not infringe any IBM intellectual property right may 
be used instead. However, it is the user's responsibility to evaluate and verify the 
Operation of any non-IBM product, program, or Service. 

IBM may have patents or pending patent applications covering subject matter in 
this document. The furnishing of this document does not give you any license to 
these patents. You can send license inquiries, in writing, to: 

IBM Director of Licensing 
IBM Corporation 
North Castle Drive 
Armonk, NY 10504-1785 
U.S.A. 

For license inquiries regarding double-byte (DBCS) information, contact the IBM 
Intellectual Property Department in your country or send inquiries, in writing, to: 

IBM World Trade Asia Corporation Licensing 
2-31 Roppongi 3-chome, Minato-ku 
Tokyo 106, Japan 

The following paragraph does not apply to the United Kingdom or any other 
country where such provisions are inconsistent with local law: 

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS 
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER 
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS 
FOR A PARTICULAR PURPOSE. Some States do not allow disclaimer of express or 
implied warranties in certain transactions, therefore, this Statement may not apply 
to you. 

This information could include technical inaccuracies or typographical errors. 
Changes are periodically made to the information herein; these changes will be 
incorporated in new editions of the information. IBM may make improvements 
and/or changes in the product(s) and/or the program(s) described in this 
information at any time without notice. 

Any references in this information to non-IBM Web sites are provided for 
convenience only and do not in any mariner serve as an endorsement of those Web 
sites. The materials at those Web sites are not part of the materials for this IBM 
product and use of those Web sites is at your own risk. 

IBM may use or distribute any of the information you supply in any way it 
believes appropriate without incurring any Obligation to you. 
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Licensees of this program who wish to have information about it for the purpose 
of enabling: (i) the exchange of information between independently created 
programs and other programs (including this one) and (ii) the mutual use of the 
information which has been exchanged, should contact: 

IBM Corporation 

Department MU5A46 

11301 Burnet Road 

Austin, TX 78758 

U.S.A. 

Such information may be available, subject to appropriate terms and conditions, 
including in some cases, payment of a fee. 

The licensed program described in this document and all licensed material 
available for it are provided by IBM under terms of the IBM Customer Agreement, 
IBM International Program License Agreement, or any equivalent agreement 
between us. 

Any performance data contained herein was determined in a controlled 
environment. Therefore, the results obtained in other operating environments may 
vary significantly. Some measurements may have been made on development-level 
Systems and there is no guarantee that these measurements will be the same on 
generally available Systems. Furthermore, some measurement may have been 
estimated through extrapolation. Actual results may vary. Users of this document 
should verify the applicable data for their specific environment. 

Information conceming non-IBM products was obtained from the suppliers of 
those products, their published announcements or other publicly available sources. 
IBM has not tested those products and cannot confirm the accuracy of 
performance, compatibility or any other claims related to non-IBM products. 
Questions on the capabilities of non-IBM products should be addressed to the 
suppliers of those products. 

This information contains examples of data and reports used in daily business 
operations. To illustrate them as completely as possible, the examples include the 
names of individuals, Companies, brands, and products. All of these names are 
fictitious and any similarity to the names and addresses used by an actual business 
enterprise is entirely coincidental. 

It you are viewing this information softcopy, the photographs and color 
illustrations may not appear. 

Trademarks 

The following terms are trademarks of International Business Machines 

Corporation in the United States, or other countries, or both: 

AIX 

DB2 

IBM 

iSeries 

OS/400 

pSeries 

RS/6000 

S/390 

SecureWay 
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SP 

Tivoli 

WebSphere 

xSeries 

z/OS 

zSeries 

Intel, Intel Inside (logos), MMX™ and Pentium® are trademarks of Intel 
Corporation in the United States, other countries, or both. 

Java and all Java-based trademarks and logos are trademarks or registered 
trademarks of Sun Microsystems, Inc. in the United States and other countries. 

Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of 
Microsoft Corporation 

UNIX is a registered trademark in the United States and/or other countries 
licensed exclusively through X/Open Company Limited. 

Other Company, product, and Service names may be trademarks or Service marks 
of others. 
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